$_ BSDHowTo.ch
How To... Why not..? Scripts Patches RSS logo

How to configure 2FA for SSH password log in

Last update: 2018-08-23

Warning: Following the instructions in this post might put your SSH server at risk. Be sure you know what you are doing. Or be prepared to deal with the consequences on your own.

Introduction

In this post I show you how you can configure OpenSSH on OpenBSD to allow passwords with two factor authentication (2FA). I use the login_otp module from Reyk Flöter.

Install and configure login_otp

At time of writing this module is not (yet) part of base or in ports. You have to download, compile and install it yourself.

$ ftp -o login_otp.zip https://github.com/reyk/login_otp/archive/master.zip
$ unzip login_otp.zip
$ cd login_otp-master
$ make
...
$ doas make install

The required binaries are placed in /usr/bin. Before you can change the authentication for SSH you must initialize the OTP database.

$ doas otp -i

Login as the user for whom you want to generate a TOTP secret and run the following command:

$ otp -g
!!! WARNING: PLEASE KEEP THE FOLLOWING KEY SECRET !!!

 Load the following key or URL in the authenticator:

 Name:   user
 Key:    a1a1 a1a1 a1a1 a1a1 a1a1 a1a1 a1
 URL:    otpauth://totp/bruno?secret=A1A1A1A1A1A1A1A1A1A1A1A1A1&issuer=&algorithm
 =SHA1&digits=6&period=30

Enter this secret key into your OATH-compatible second factor device, e. g. an authenticator app, token or hardware dongle.

Modify login.conf(5)

On OpenBSD sshd(8) uses the BSD Auth mechanism which is configured in login.conf(5). Below the line starting auth-ftp-defaults add the following:

+# Default allowed authentication styles for authentication type ssh
+auth-ssh-defaults:auth-ssh=otp,passwd:

And modify the login class default by adding a matching entry:

default:\
    :path=/usr/bin /bin /usr/sbin /sbin /usr/X11R6/bin /usr/local/bin /usr/local/sbin:\
    :umask=022:\
    :datasize-max=768M:\
    :datasize-cur=768M:\
    :maxproc-max=256:\
    :maxproc-cur=128:\
    :openfiles-max=1024:\
    :openfiles-cur=512:\
    :stacksize-cur=4M:\
    :localcipher=blowfish,a:\
    :tc=auth-defaults:\
    :tc=auth-ftp-defaults:\
+   :tc=auth-ssh-defaults:

Configure sshd(8)

The sshd(8) allows the use of passwords for authentication by default. But it is a common best practice to disable passwords and to allow public keys only. In case you have done this in the past make sure your /etc/ssh/sshd_config contains the following line to enable password authentication:

PasswordAuthentication yes

A more secure option is to allow password authentication only for certain user accounts or groups. You can do this by putting above line into a Match block. If you want to allow members of the group trust to use passwords add something like this:

Match group trust
    PasswordAuthentication yes

As a last step you must reload the configuration:

$ doas rcctl reload sshd

Testing the new setup

Make sure that you have a working alternative to passwords, especially if the console of your system is not easily accessible. The way I've configured it in this post allows you to use public key authentication and password + 2FA at the same time in SSH.