How To... | Why not..? | Scripts | Patches |
Last update: 2018-08-23
Warning: Following the instructions in this post might put your SSH server at risk. Be sure you know what you are doing. Or be prepared to deal with the consequences on your own.
In this post I show you how you can configure OpenSSH on OpenBSD to allow passwords with two factor authentication (2FA). I use the login_otp module from Reyk Flöter.
At time of writing this module is not (yet) part of base or in ports. You have to download, compile and install it yourself.
$ ftp -o login_otp.zip https://github.com/reyk/login_otp/archive/master.zip
$ unzip login_otp.zip
$ cd login_otp-master
$ make
...
$ doas make install
The required binaries are placed in /usr/bin
. Before you can change
the authentication for SSH you must initialize the OTP database.
$ doas otp -i
Login as the user for whom you want to generate a TOTP secret and run the following command:
$ otp -g
!!! WARNING: PLEASE KEEP THE FOLLOWING KEY SECRET !!!
Load the following key or URL in the authenticator:
Name: user
Key: a1a1 a1a1 a1a1 a1a1 a1a1 a1a1 a1
URL: otpauth://totp/bruno?secret=A1A1A1A1A1A1A1A1A1A1A1A1A1&issuer=&algorithm
=SHA1&digits=6&period=30
Enter this secret key into your OATH-compatible second factor device, e. g. an authenticator app, token or hardware dongle.
On OpenBSD sshd(8) uses the BSD Auth
mechanism which is configured in login.conf(5).
Below the line starting auth-ftp-defaults
add the following:
+# Default allowed authentication styles for authentication type ssh
+auth-ssh-defaults:auth-ssh=otp,passwd:
And modify the login class default
by adding a matching entry:
default:\
:path=/usr/bin /bin /usr/sbin /sbin /usr/X11R6/bin /usr/local/bin /usr/local/sbin:\
:umask=022:\
:datasize-max=768M:\
:datasize-cur=768M:\
:maxproc-max=256:\
:maxproc-cur=128:\
:openfiles-max=1024:\
:openfiles-cur=512:\
:stacksize-cur=4M:\
:localcipher=blowfish,a:\
:tc=auth-defaults:\
:tc=auth-ftp-defaults:\
+ :tc=auth-ssh-defaults:
The sshd(8) allows the use of passwords for authentication by default.
But it is a common best practice to disable passwords and to allow
public keys only. In case you have done this in the past make sure your
/etc/ssh/sshd_config
contains the following line to enable password
authentication:
PasswordAuthentication yes
A more secure option is to allow password authentication only for
certain user accounts or groups. You can do this by putting above line
into a Match
block. If you want to allow members of the group trust
to use passwords add something like this:
Match group trust
PasswordAuthentication yes
As a last step you must reload the configuration:
$ doas rcctl reload sshd
Make sure that you have a working alternative to passwords, especially if the console of your system is not easily accessible. The way I've configured it in this post allows you to use public key authentication and password + 2FA at the same time in SSH.