SSH + TOTP – Two factor Authentication on SSH with OATH Time-based One-Time Passwords

Following the footsteps of this TechOrganic blog article but not wanting to require all the authentication factors, just the TOTP in addition to Password authentication, and also running into macOS’ System Integrity Protection, I found a way to get OTP working on OSX 10.6 through 10.11 without destroying automated access with Private+Public KeyPair.

Make sure you have your development software installed and updated

xcode-select --install
  1. Check-out the PAM-source from GitHub with git.
    mkdir ~/OATH_PAM ; cd ~/OATH_PAM ; git clone https://github.com/google/google-authenticator-libpam.git ; cd google-authenticator-libpam
  2. Follow the steps on the GitHub page to build the software
    ./bootstrap.sh
    ./configure
    make
    sudo make install
  3. activate the PAM module for ssh;
    sudo nano /etc/pam.d/sshd

    add the line
    auth       required       /usr/local/lib/security/pam_google_authenticator.so
  4. Restart the SSH daemon
    sudo launchctl unload /System/Library/LaunchDaemons/ssh.plist
    sudo launchctl load /System/Library/LaunchDaemons/ssh.plist
  5. activate google authenticator for your account
    ~/OATH_PAM/google-authenticator-libpam/google-authenticator

    Basically answer all questions with yes
  6. Copy the OTP Secret Url and paste in your browser to generate a QR Code and scan with your OATH compatible OTP app.
  7. SSH to your system
    ssh $(whoami)@localhost
  8. You should now be asked for your password and a one-time-password.

From this point on, TOTP is enabled and REQUIRED! for all users on the system, so if you’re using a multi-user system, be sure EVERY user knows how to work with TOTP and knows their TOTP-secret.

Author: Remon Pel

WebDeveloper though not WebDesigner

Leave a Reply

Your email address will not be published. Required fields are marked *