Following the footsteps of this TechOrganic blog article but not wanting to require all the authentication factors, just the TOTP in addition to Password authentication, and also running into macOS’ System Integrity Protection, I found a way to get OTP working on OSX 10.6 through 10.11 without destroying automated access with Private+Public KeyPair.
Make sure you have your development software installed and updated
- Check-out the PAM-source from GitHub with git.
mkdir ~/OATH_PAM ; cd ~/OATH_PAM ; git clone https://github.com/google/google-authenticator-libpam.git ; cd google-authenticator-libpam
- Follow the steps on the GitHub page to build the software
sudo make install
- activate the PAM module for ssh;
sudo nano /etc/pam.d/sshd
add the line
auth required /usr/local/lib/security/pam_google_authenticator.so
- Restart the SSH daemon
sudo launchctl unload /System/Library/LaunchDaemons/ssh.plist
sudo launchctl load /System/Library/LaunchDaemons/ssh.plist
- activate google authenticator for your account
Basically answer all questions with yes
- Copy the OTP Secret Url and paste in your browser to generate a QR Code and scan with your OATH compatible OTP app.
- SSH to your system
- You should now be asked for your password and a one-time-password.
From this point on, TOTP is enabled and REQUIRED! for all users on the system, so if you’re using a multi-user system, be sure EVERY user knows how to work with TOTP and knows their TOTP-secret.
2 thoughts on “SSH + TOTP – Two factor Authentication on SSH with OATH Time-based One-Time Passwords”
2019 update, can use homebrew, no need to build yourself:
per user (brew list google-authenticator-libpam | grep bin), run:
absolutely brilliant :)
note: have not tried it myself