Michael Shriver Senior Computer Specialist - College of the Environment

2FA Configuration for SSH servers on macOS (TOTP)

brew install oath-toolkit

/etc/users.oath

# Option User Prefix Seed
HOTP/T30/6 user - SECRET_IN_HEXADECIMAL

then:

chmod 600 /etc/users.oath
chown root /etc/users.oath

/etc/pam.d/sshd

# sshd: auth account password session
auth       optional       pam_krb5.so use_kcminit
auth       optional       pam_ntlm.so try_first_pass
auth       optional       pam_mount.so try_first_pass
auth       required       pam_opendirectory.so try_first_pass

# The following line enables 2FA using pam_oath.
# Note the full path required to load the pam_oath.so module
auth       required       /usr/local/lib/security/pam_oath.so usersfile=/etc/users.oath window=30 digits=6

account    required       pam_nologin.so
account    required       pam_sacl.so sacl_service=ssh
account    required       pam_opendirectory.so
password   required       pam_opendirectory.so
session    required       pam_launchd.so
session    optional       pam_mount.so

This will require TOTP for password authentication, but will prompt for the TOTP code after the password has been entered

Note that no modifications to sshd_config are neccesary.