Michael Shriver Senior Computer Specialist - College of the Environment

2FA Configuration for SSH servers (TOTP)

Ensure that oathtool and pam_oath are installed on your system (libpam_oath on Debian) and change the following files:

/etc/ssh/sshd_config

ChallengeResponseAuthentication yes
PasswordAuthentication no
UsePAM yes

/etc/users.oath

# Option User Prefix Seed
HOTP/T30/6 user - SECRET_IN_HEXADECIMAL

then:

chmod 600 /etc/users.oath
chown root /etc/users.oath

/etc/security/access-local.conf

# Require 2FA when accessing remotely using a password
+ : ALL : 192.168.0.0/24
+ : ALL : LOCAL
- : ALL : ALL

/etc/pam.d/sshd

Add the following lines after the @include common-auth section:

# TOTP OATH for SSH logins
auth      [success=1 default=ignore]    pam_access.so accessfile=/etc/security/access-local.conf
auth      required      pam_oath.so usersfile=/etc/users.oath window=30 digits=6

This will require TOTP for password authentication, but will prompt for the TOTP code after the password has been entered