OTP

OpenBSD & OTP

OpenBSD

i don’t like ssh & password authentication. but sometime, specially during setup or recovery, it’s need and make sense. thought i’ll protect some boxes with otp. here a few notes and instrucations

Build login_otp

git clone https://github.com/reyk/login_otp
cd login_otp
make obj
make all
doas make install

Initialize OTP DB

doas otp -i

Generate Key for User

otp -g

Name: stoege
Key:  xxxx xxxx xxxx xxxx xxxx xxxx xx
URL:  otpauth://totp/stoege?secret=xxxxxxxxxxxxxxxxxxxxxxxxxx&issuer=&algorithm=SHA1&digits=6&period=30

Build QR Code

echo "otpauth://totp/stoege?secret=xxxxxxxxxxxxxxxxxxxxxxxxxx&issuer=&algorithm=SHA1&digits=6&period=30" |qrencode -t ansiutf8

and scan the code with the google authenticator (or similar app)

OpenSSH 2FA Google Auth

OpenBSD

Let’s give a try with Alpine Linux, OpenSSH and 2FA with Google Authenticator.

add Packages

apk add openssh openssh-server-pam google-authenticator openssh-doc google-authenticator-doc libqrencode

Configure GoogleAuth

touch /etc/pam.d/sshd
ln /etc/pam.d/sshd /etc/pam.d/sshd.pam

cat << 'EOF' >> /etc/pam.d/sshd.pam
account   include     base-account

auth      required    pam_env.so
auth      required    pam_nologin.so  successok
auth      required    /lib/security/pam_google_authenticator.so   echo_verification_code grace_period=57600 nullok
auth      required    pam_unix.so   md5 sha512
EOF

update sshd_config

cat << 'EOF' >> /etc/ssh/sshd_config
PasswordAuthentication no
AuthenticationMethods any
UsePAM yes
EOF

Restart SSHD

service sshd restart

Setup User

su - USERNAME
google-authenticator

Response