Implementing robust authentication mechanisms is crucial to safeguard sensitive information. One such method gaining popularity for its effectiveness is Time-based One-Time Passwords (TOTP). In this article, we set up TOTP with OpenSSH, a widely used and versatile protocol for secure remote access. By integrating TOTP into your OpenSSH configuration, you enhance the security of your system by adding an additional layer of authentication, strengthening defenses against unauthorized access and potential cyber threats. Follow along as we guide you through the steps to fortify your OpenSSH environment with TOTP, ensuring a resilient defense against security breaches.
If you want to discuss the topic with other technology-minded people, join my Discord: https://discord.gg/YbSYGsQYES
Now we have an IRC channel as well: irc.libera.chat / #tomsitcafe
I use Google Authenticator on the server side on Debian Bookworm. On Red Hat based systems the process is different! I tested the solution with KeepassXC generated TOTP tokens.
Server settings as root
Refresh the package database and install the required PAM module.
sudo apt update
sudo apt install libpam-google-authenticator
Caution: Modifying authentication configurations can result in unintended lockouts. Proceed at your own risk!
Before you start the configuration, backup your /etc/pam.d/sshd file!
cp /etc/pam.d/sshd /root/sshd.bak
Edit the /etc/pam.d/sshd file and add the following lines:
auth required pam_google_authenticator.so nullok
auth required pam_permit.so
The nullok parameter means that you allow users to authenticate without TOTP, they can continue using their SSH keys and passwords. If you want restrict your users using TOTP then remove the nullok parameter.
Also be careful with using the pam_permit.so line! If you only allow users with TOTP authentication, then this line can be removed from the configuration.
Comment out the common authentication configuration as well in the /etc/pam.d/sshd:
# @include common-auth
Save and close the file.
Open the /etc/ssh/sshd_config file and extend it with the followings:
KbdInteractiveAuthentication yes
AuthenticationMethods publickey,password publickey,keyboard-interactive password
Please note that the “ChallengeResponseAuthentication” parameter in the /etc/ssh/sshd_config is deprecated since Debian Bookworm, and you should set “KbdInteractiveAuthentication” to yes instead.
Restart the SSH daemon for the changes to take effect.
systemctl restart sshd.service
The OpenSSH server is ready for authenticating with TOTP.
Client settings as an ordinary user
To set up TOTP for the user account run it in the command line:
google-authenticator
Read the QR code or use the displayed number in your authentication app, then answer the questions.
Finally you can backup the .google_authenticator file!
Now you must be able to use TOTP with your preferred authentication method.
If you want to discuss the topic with other technology-minded people, join my Discord: https://discord.gg/YbSYGsQYES
Now we have an IRC channel as well: irc.libera.chat / #tomsitcafe
Tom's IT Cafe 