Two-factor SSH using oathtool on Ubuntu 18.04July 16, 2018
Last modified June 20, 2019
I’ve been using the Google Authenticator PAM Module for years. It works great, and is easy to set up. But, I generally try to stay away from all things Google, so I wanted to set up two-factor ssh using something else.
After a bit of googling (…), I found OATH Toolkit. Reading their documentation, it seems rather easy to set up. Also, this blog has a nice TL;DR of the setup. I’ve pretty much followed that, and added a few bits.
# Install oathtool. sudo apt install oathtool libpam-oath export HEX_SECRET=$(head -15 /dev/urandom | sha1sum | cut -b 1-30) oathtool --verbose --totp $HEX_SECRET --digits=8 # Type in the Base32-secret on your phone sudo touch /etc/users.oath sudo chmod 0600 /etc/users.oath # Running subshell so we can send output to file with sudo-permissions sudo /bin/bash -c "echo HOTP/T30 $USER - $HEX_SECRET \ >> /etc/users.oath" # Unset your secret unset HEX_SECRET
Setting up an access-list for two-factor
Now, I want to be able to define who I require two-factor for, and from where I require it. I have a couple of hosts that I trust, where I can log in from in case I lose my two-factor.
/etc/security/login_token.conf. My file has the following contents:
# Do not require two-factor from here: + : dennis : 18.104.22.168/24 # lolnope don't need two-factor at all + : lolnope : ALL # Demand two-factor from everywhere and everyone else - : ALL : ALL
man 5 access.conf for details on the format
Add the following to the top of /etc/pam.d/sshd:
# Exceptions from two-factor auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/login_token.conf # Two-factor auth required pam_oath.so usersfile=/etc/users.oath
Now all we need to do is to enable two-facor in
/etc/ssh/sshd_config. Now we can
ssh, and test it!
This is what it should look like when logging in:
$ # I use ssh-keys, do I need to auth without them $ ssh -o PubkeyAuthentication=no dennis@host One-time password (OATH) for `dennis': Password:
And, when logging in from one of the hosts I’ve defined in
/etc/security/login_token.conf, I’m not asked about the OTP!