The officially official Devuan Forum!

joser

Member

Registered: 2024-05-20

Posts: 5  

[HowTo] 2FA TOTPs for SSH without google-authenticator.

2FA TOTPs

##On server side ### you can execute these via SSH as well.

#Install the required packages for TOTPs:

sudo apt install -y oathtool libpam-oath qrencode keyutils

#Make a backup copy of /etc/ssh/sshd_config

sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config~

#Update the SSH daemon configuration in /etc/ssh/sshd_config

sudo nano /etc/ssh/sshd_config

# Make sure this options are enabled
ChallengeResponseAuthentication yes
KbdInteractiveAuthentication yes
UsePAM yes

#Generate a secure hex secret key for the current user using sha256sum and store it in keyctl to keep the key_id as variable only:

KEY_ID=$(keyctl add user hex_secret $(head -15 /dev/urandom | sha256sum | cut -b 1-30) @s)

     
#Add the secret to the /etc/users.oath file without actually echoing it:

echo "HOTP/T30/6 $USER - $(keyctl pipe $KEY_ID)" | sudo tee -a /etc/users.oath > /dev/null

 
#File /etc/users.oath must be readable and writable only by root to maintain security.

sudo chmod 600 /etc/users.oath

   
# Generate a QR code for the user’s authenticator app:

TKNTITLE="Your token title here"

BASE32_SECRET=$(oathtool --verbose --totp "$(keyctl pipe $KEY_ID)" --digits=6 -w 1 | grep Base32 | cut -d ' ' -f 3)

qrencode --type=ANSIUTF8 "otpauth://totp/$TKNTITLE:$USER@$HOSTNAME?secret=$BASE32_SECRET&issuer=$TKNTITLE&digits=6"

#Scan the previous QR code with your Authenticator app.

#Configure PAM to use pam_oath.

sudo nano /etc/pam.d/sshd

#add the following two lines at the top of the file, before the @include common-auth line:
# TOTPs config
auth requisite pam_oath.so usersfile=/etc/users.oath window=20 digits=6

#Restart the SSH service to apply changes:

sudo service ssh restart && exit

# At this point your user can log in via SSH using a dynamically generated OTP from your authenticator app.
# Please notice this wont work from any workstations that you have SSH password-less authentication since the purpose for this guide is mostly to prevent brute force password attacks.

Now from you will have to enter an OTP (Authenticator app) and your user password after, the ssh login screen it will look like:

(user@XX.XXX.X.XXX) One-time password (OATH) for `user':

(user@XX.XXX.X.XXX) Password:

# To disable the OTP auth then make the new /etc/ssh/sshd_config as backup, restore the original file and restart ssh service

sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config-2fa

sudo cp /etc/ssh/sshd_config~ /etc/ssh/sshd_config

sudo service ssh restart

# This way you can switch back and fourt if you need.

# Finally lets create a passwordless key based authentication for SSH from your workstation(s) as plan B.

Password-less key based authentication

## On client/workstation side ##
# Create a new ssh key with Ed25519

ssh-keygen -t ed25519 -a 100 -f ~/.ssh/id_ed25519 -C "$USER@$HOSTNAME-$(date +%F)"

#Enter the same password that you have for your user, this will keep things easier

# Copy the new ssh key to server

ssh-copy-id -i ~/.ssh/id_ed25519.pub $USER@<SERVER_NAME/IP>

# This copied the user key to the file ~/.ssh/authorized_keys on server, in other words, to remove password-less authentication for this server then on the same server:

rm ~/.ssh/authorized_keys

# Now you can connect like "ssh <SERVER_NAME/IP>" and wont be asked to enter a password or even a 2FA,
# this simply to avoid having to use the Authenticator app every time from your own trusted workstations.
# or in worst case scenario, if for any reason you can't use your phone or usb key at the moment.
# You can have as many client/workstation keys as you want, just make sure you keep your username as constant.

Tested with Devuan 6 (Excalibur) but it should work the same with previous versions.

Last edited by joser (2025-12-09 01:08:37)