OpenBSD & OTP
Page content
i don’t like ssh & password authentication. but sometime, specially during setup or recovery, it’s need and make sense. thought i’ll protect some boxes with otp. here a few notes and instrucations
Build login_otp
git clone https://github.com/reyk/login_otp
cd login_otp
make obj
make all
doas make install
Initialize OTP DB
doas otp -i
Generate Key for User
otp -g
Name: stoege
Key: xxxx xxxx xxxx xxxx xxxx xxxx xx
URL: otpauth://totp/stoege?secret=xxxxxxxxxxxxxxxxxxxxxxxxxx&issuer=&algorithm=SHA1&digits=6&period=30
Build QR Code
echo "otpauth://totp/stoege?secret=xxxxxxxxxxxxxxxxxxxxxxxxxx&issuer=&algorithm=SHA1&digits=6&period=30" |qrencode -t ansiutf8
and scan the code with the google authenticator (or similar app)
globally enable OTP in Login.conf
doas sed -i 's/^auth-defaults:auth=.*/auth-defaults:auth=otp,skey/' /etc/login.conf
globally disable OTP in Login.conf
doas sed -i 's/^auth-defaults:auth=.*/auth-defaults:auth=passwd,skey/' /etc/login.conf
Test Login
stoege@puffy $ ssh localhost
(stoege@localhost) OTP+ password for "stoege":
enter OTP & Password (123456mysecret) and you’re in
tail /var/log/authlog
Sep 16 16:47:43 puffy-otp sshd[19914]: Accepted keyboard-interactive/bsdauth for stoege from 127.0.0.1 port 34892 ssh2
while a standart ssh authentication with password looks like
Sep 16 16:53:18 puffy-std sshd[8997]: Accepted password for stoege from 127.0.0.1 port 25969 ssh
Show next Valid OTP
otp -t
remove OTP for a User
otp -r
looks like when you enabled otp in /etc/login.conf, every user needs a valid OTP for Login with Password!
wrapper: install_otp.sh
a little wrapper script for OpenBSD (what else … ;)
cat << 'EOF' > install_otp.sh
#!/usr/bin/env bash
# OTP Wrapper, v1.0, 2022-09-17, @stoege
# cwd
cd ~
info() {
cat << EOF
** $(date +"%Y-%m-%d %H:%M:%S"): $1 **
EOF
}
showhelp() {
cat << EOF
usage: $0 -h|-i|-d|-e|-g|-s
-h: help
-i: install
-d: disable
-e: enable
-g: generate (key)
-s: show (key)
-r: remove (key)
EOF
exit 1
}
install() {
git clone https://github.com/reyk/login_otp
cd login_otp
make obj
make all
doas make install
}
setupdb() {
doas otp -i
}
genkey() {
test -f /usr/local/bin/qrencode || doas install libqrencode
echo
key=$(otp -g |tee /dev/tty)
echo
echo $key |sed 's/.*otpauth/otpauth/' |sed "s/.secret/@$(hostname)\?secret/" |qrencode -t ansiutf8
echo
}
showkey() {
otp -t
}
delkey() {
otp -r
}
enableotp() {
doas sed -i 's/^auth-defaults:auth=.*/auth-defaults:auth=otp,skey/' /etc/login.conf
info "OTP Enabled"
}
disableotp() {
doas sed -i 's/^auth-defaults:auth=.*/auth-defaults:auth=passwd,skey/' /etc/login.conf
info "OTP Disabled"
}
showinfo() {
if [[ $(fgrep otp /etc/login.conf) ]]; then
cat << 'EOF'
OTP is ENABLED ! to disably it globally, run:
doas sed -i 's/^auth-defaults:auth=.*/auth-defaults:auth=passwd,skey/' /etc/login.conf
EOF
else
cat << 'EOF'
OTP is DISABLED! to enable it globally, run:
doas sed -i 's/^auth-defaults:auth=.*/auth-defaults:auth=otp,skey/' /etc/login.conf; otp -g; otp -t
EOF
fi
}
if [[ "$1" == "-h" ]]; then
showhelp
elif [[ "$1" == "-i" ]]; then
test -f /usr/libexec/auth/login_totp && info "already installed!" || install
test -f /etc/otp && info "otp db already initialized" || setupdb
showinfo
elif [[ "$1" == "-d" ]]; then
disableotp
elif [[ "$1" == "-e" ]]; then
enableotp
elif [[ "$1" == "-g" ]]; then
genkey
elif [[ "$1" == "-r" ]]; then
delkey
elif [[ "$1" == "-s" ]]; then
showkey
else
showhelp
fi
echo
exit 0
EOF
chmod 700 install_otp.sh
Any Comments ?
sha256: 24b84876a6e54cc70d675511a186cea9963e0fea2f42a862abb5927e0f6ca749