[OpenSSH] 2FA TOTP - Success In Software

Remote login secured with 2FA: TOTP.

There are two steps involved to use 2FA TOTP with OpenSSH:

system preparation
user setup

Let’s do it, then:

1) System Preparation

Install libpam-google-authenticator (NB: this is kind of a misnomer, it’s all about 2FA TOTP and there are other tools besides GA):

~# apt install libpam-google-authenticator

Have a look at /usr/share/doc/libpam-google-authenticator/README.md.gz, add the pam_google_authenticator line at an appropriate line in /etc/pam.d/sshd:

@include common-auth
account    required     pam_nologin.so
# account  required     pam_access.so
auth required pam_google_authenticator.so no_increment_hotp #null_ok

One might append null_ok to the pam_google_authenticator line. That way, any user not having a google-authenticator configuration may continue to login without 2FA.

Hint: instead of using google-authenticator, use an app called andOTP. Works a treat.

In /etc/ssh/sshd_config, change ChallengeResponseAuthentication to yes:

ChallengeResponseAuthentication yes

Note: In some cases it may be possible or even required to omit the change to /etc/ssh/sshd_config and instead use the try_first_pass / use_first_pass / forward_pass options to the pam-google-authenticator module and another authentication module. One such case might arise if an authenticator module is only able to ask for a single password. Again, have a look at /usr/share/doc/libpam-google-authenticator/README.md.gz .

2) User Setup

We need to call google-authenticator(1) to setup the user side. It might be beneficial to specify issuer and label, i.e. to easily distinguish one entry from another in your 2FA app (i.e. andOTP). We’re about to deploy TOTP based 2FA (hence the -t option):

~$ google-authenticator -t -r 3 -R 30 -W -l "$(cat /etc/hostname)" -i "<OID>"

google-authenticator(1) may ask a couple of questions and finally displays user specific authentication tokens and a huge ASCII-art QR-code on the console. Configuration is saved to ~/.google_authenticator. A recommended configuration includes:

" RATE_LIMIT 3 30 1584291708
" DISALLOW_REUSE 52809723
" TOTP_AUTH

Scan the QR-code with your 2FA app and note down the additional login tokens, such as:

Your new secret key is: ASDFASDFADFASDFASDFASDFASDF
 Your verification code is 123456
 Your emergency scratch codes are:
  123457
  […]

It might be a wise thing to verify and (remotely) login from another terminal before finishing by logging out. Rather stay safe than sorry.

Now we’re all set and good to go!

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.