Two-Factor-Authentication “2FA” with SSH

Install google authenticator and libqrencode:

pkg install pam_google_authenticator
pkg install libqrencode

Edit /etc/pam.d/sshd an add the following line to the auth section:

# auth
auth            sufficient      pam_opie.so             no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
#auth           sufficient      pam_krb5.so             no_warn try_first_pass
#auth           sufficient      pam_ssh.so              no_warn try_first_pass
#auth           required        pam_unix.so             no_warn try_first_pass
auth            required        /usr/local/lib/pam_google_authenticator.so

Add this to/etc/ssh/sshd_config:

CallengeResponseAuthentication yes
UsePAM yes
AuthenticationMethods publickey,keyboard-interactive

This setup will do a “publickey + verification code”, without password, in case you require password edit the /etc/pam.d/sshd and ensure the line pam_unix.so is uncommented

auth           required        pam_unix.so             no_warn try_first_pass
auth           required        /usr/local/lib/pam_google_authenticator.so

Enable 2FA per user:

Execute google-authenticator as the user you want to protect with MFA:

su - alice -c google-authenticator

You can answer all questions to Y, the configuration will be saved in this file ~/.google-authenticator

The content of the file looks like this:

> cat .google_authenticator
VLS3WGLC4YTVFSSK
" TIME_SKEW 0
" RESETTING_TIME_SKEW
" RATE_LIMIT 3 30 1496497256
" WINDOW_SIZE 17
" DISALLOW_REUSE 49883227
" TOTP_AUTH
12268625
67512245
75096563
52505947
42447122

If for some reason the user can’t scan the qrcode due the font issues, use the code instead, in this example:

VLS3WGLC4YTVFSSK