Skip to content

Instantly share code, notes, and snippets.

@esavier

esavier/gist:ef82c96aff79d64a2851a1f4db884744

Forked from andrewlkho/gist:e9a8c996c4bc1df23cd2
Created October 31, 2019 11:37
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save esavier/ef82c96aff79d64a2851a1f4db884744 to your computer and use it in GitHub Desktop.
Save esavier/ef82c96aff79d64a2851a1f4db884744 to your computer and use it in GitHub Desktop.
Download ZIP
How to secure debian with two factor authentication (TOTP/HOTP)
Raw
gistfile1.md

First, install the necesssary packages:

% apt-get install libpam-oath oathtool

Generate a key and write it to /etc/users.oath (NB the key will be in hexadecimal; if you are using Authy you will want to convert it to BASE32):

% KEY=$( head -c 1024 /dev/urandom | openssl sha1 | awk '{ print $2 }' )
% echo "HOTP/T30/6 andrewlkho - ${KEY}" >> /etc/security/users.oath
% chmod 600 /etc/users.oath

Configure use of libpam-oath in /etc/pam.d/sshd (and any other services you wish, such as sudo):

# @include common-auth
auth required pam_unix.so nullok_secure
auth required pam_permit.so
auth required pam_oath.so usersfile=/etc/security/users.oath

Note that we have excluded common-auth because otherwise it would leak information about whether or not the password is correct, as noted here.

Enable PAM in /etc/ssh/sshd_config:

Use PAM yes
ChallengeResponseAuthentication yes

Restart ssh:

% service ssh restart
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment