Following the footsteps of this TechOrganic blog article but not wanting to require all the authentication factors, just the TOTP in addition to Password authentication, and also running into macOS’ System Integrity Protection, I found a way to get OTP working on OSX 10.6 through 10.11 without destroying automated access with Private+Public KeyPair.
Make sure you have your development software installed and updated
xcode-select --install- Check-out the PAM-source from GitHub with git.
mkdir ~/OATH_PAM ; cd ~/OATH_PAM ; git clone https://github.com/google/google-authenticator-libpam.git ; cd google-authenticator-libpam - Follow the steps on the GitHub page to build the software
./bootstrap.sh
./configure
make
sudo make install - activate the PAM module for ssh;
sudo nano /etc/pam.d/sshd
add the line
auth required /usr/local/lib/security/pam_google_authenticator.so - Restart the SSH daemon
sudo launchctl unload /System/Library/LaunchDaemons/ssh.plist
sudo launchctl load /System/Library/LaunchDaemons/ssh.plist - activate google authenticator for your account
~/OATH_PAM/google-authenticator-libpam/google-authenticator
Basically answer all questions with yes - Copy the OTP Secret Url and paste in your browser to generate a QR Code and scan with your OATH compatible OTP app.
- SSH to your system
ssh $(whoami)@localhost - You should now be asked for your password and a one-time-password.
From this point on, TOTP is enabled and REQUIRED! for all users on the system, so if you’re using a multi-user system, be sure EVERY user knows how to work with TOTP and knows their TOTP-secret.