ssh-mfa.exp

#! /usr/bin/env expect -f

set otc_pattern "(\d){6}"
set name [lindex $argv 0]
set server [lindex $argv 1]
set secret $env(MFA_SECRET)

spawn oathtool --totp -b "$secret"
expect otc_pattern
set otc $expect_out(buffer)

send_user "SSH user: $name\n"
send_user "SSH server: $server\n"
send_user "Your one-time code is: $otc"

spawn ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null $name\@$server
expect "Verification code:"
send "$otc\r"

interact

Setting up Google Authenticator (on the server)

---

• install the package

$ sudo apt-get install libpam-google-authenticator

• configure

$ google-authenticator

• save the secret; this is exported to the MFA_SECRET environment variable on the client
• enable the MFA module in SSH

$ sudo sed -i '1iauth required pam_google_authenticator.so' /etc/pam.d/sshd
$ sudo sed -i 's/ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/' /etc/ssh/sshd_config
$ sudo service ssh restart

• if you're doing this through an SSH session, keep it alive until you confirm that everything works

Generate one-time code (on the client)

---

• install oathtool and expect

$ sudo apt-get install oathtool expect

• export the secret generated on the server to MFA_SECRET

export MFA_SECRET=mys3cr37

• run this script

expect ./ssh-mfa.exp ssh-user ssh-server

• the assumption is that the the client's SSH key is already in ~/.ssh/authorized_keys on the server, which enables passwordless SSH logins