sudo apt-get install oathtool libpam-oath
Generate a secret.
export HEX_SECRET=$(head -10 /dev/urandom | md5sum | cut -b 1-30)
Generate the TOTP details, 6 digits long.
oathtool --verbose --totp $HEX_SECRET
Enter the base32 secret in Android FreeOTP.
Create and populate the /etc/security/users.oath file.
sudo bash -c "echo HOTP/T30 $USER - $HEX_SECRET >> /etc/security/users.oath"
sudo chmod 0600 /etc/security/users.oath
Forget the secret!
unset HEX_SECRET
prefix /etc/pam.d/sshd with
auth sufficient pam_oath.so usersfile=/etc/security/users.oath window=10 digits=6
Allow this in sshd and restart.
sudo sed -Ei -e 's/(ChallengeResponseAuthentication) no/\1 yes/' /etc/ssh/sshd_config
sudo service ssh restart
Test with
ssh localhost
You should see:
One-time password (OATH) for `USER':
To avoid otp for some users prefix /etc/pam.d/sshd with
auth [success=1 default=ignore] pam_succeed_if.so user in user1:user2
[ view entry ] ( 2052 views ) | print article
<<First <Back | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | Next> Last>>