Michael Shriver Senior Computer Specialist - College of the Environment

2FA Configuration for SSH servers on FreeBSD (TOTP)

pkg install oath-toolkit

/etc/ssh/sshd_config

ChallengeResponseAuthentication yes
PasswordAuthentication no
UsePAM yes

/usr/local/etc/users.oath

# Option User Prefix Seed
HOTP/T30/6 user - SECRET_IN_HEXADECIMAL

then:

chmod 600 /usr/local/etc/users.oath
chown root /usr/local/etc/users.oath

/etc/pam.d/sshd

Add the following lines after the @include common-auth section:

# TOTP OATH for SSH logins
auth            required        /usr/local/lib/security/pam_oath.so usersfile=/usr/local/etc/users.oath

This will require TOTP for password authentication, but will prompt for the TOTP code after the password has been entered