Remote login secured with 2FA: TOTP.
There are two steps involved to use 2FA TOTP with OpenSSH:
- system preparation
- user setup
Let’s do it, then:
1) System Preparation
Install libpam-google-authenticator (NB: this is kind of a misnomer, it’s all about 2FA TOTP and there are other tools besides GA):
~# apt install libpam-google-authenticator
Have a look at /usr/share/doc/libpam-google-authenticator/README.md.gz, add the pam_google_authenticator line at an appropriate line in /etc/pam.d/sshd:
@include common-auth account required pam_nologin.so # account required pam_access.so auth required pam_google_authenticator.so no_increment_hotp #null_ok
One might append null_ok to the pam_google_authenticator line. That way, any user not having a google-authenticator configuration may continue to login without 2FA.
Hint: instead of using google-authenticator, use an app called andOTP. Works a treat.
In /etc/ssh/sshd_config, change ChallengeResponseAuthentication to yes:
ChallengeResponseAuthentication yes
Note: In some cases it may be possible or even required to omit the change to /etc/ssh/sshd_config and instead use the try_first_pass / use_first_pass / forward_pass options to the pam-google-authenticator module and another authentication module. One such case might arise if an authenticator module is only able to ask for a single password. Again, have a look at /usr/share/doc/libpam-google-authenticator/README.md.gz .
2) User Setup
We need to call google-authenticator(1) to setup the user side. It might be beneficial to specify issuer and label, i.e. to easily distinguish one entry from another in your 2FA app (i.e. andOTP). We’re about to deploy TOTP based 2FA (hence the -t option):
~$ google-authenticator -t -r 3 -R 30 -W -l "$(cat /etc/hostname)" -i "<OID>"
google-authenticator(1) may ask a couple of questions and finally displays user specific authentication tokens and a huge ASCII-art QR-code on the console. Configuration is saved to ~/.google_authenticator. A recommended configuration includes:
" RATE_LIMIT 3 30 1584291708 " DISALLOW_REUSE 52809723 " TOTP_AUTH
Scan the QR-code with your 2FA app and note down the additional login tokens, such as:
Your new secret key is: ASDFASDFADFASDFASDFASDFASDF Your verification code is 123456 Your emergency scratch codes are: 123457 […]
It might be a wise thing to verify and (remotely) login from another terminal before finishing by logging out. Rather stay safe than sorry.
Now we’re all set and good to go!