On Tue, 29 Aug 2023 10:07:18 -0500, "mymlact@gmx.com" <mymlact@gmx.com>
wrote:
> Hi All,
>
> I want to secure an openssh server with two factor authentication and
> have seen the hardware token methods, most recently i've been seeing
> yubi/FIDO methods.
>
> Ideally I would like to avoid having to depend on a usb size device
> that could easily be lost.
Using something based on TOTP (Cf. rfc6238) is probably your best bet
then.
> I looked around and found mention of google authenticator as an
> option, phones aren't much bigger than usb sticks but people protect
> their phone as if it was their soul, but the newest mention I can
> find is many years old.
AFAIK, google authenticator is simply an app doing the math for TOTP.
There are multiple basic opensource apps (on both Android and iphones)
which can provide you with the right TOTP based on the seed/secret.
And if you don't want to use a phone, you can use oathtool(1) from
security/oath-toolkit.
I think some password managers also are able to generate the TOTP.
> My question is there any recent documentation / information on setting
> up an openssh server with non-hardware based two factor
> authentication? This does NOT have to be google authenticator, any
> similar service will suffice.
login_totp(8), login.conf(5), sshd_config(5), and maybe a couple of
others.
You can also want to look at sysutils/login_oath (which I've been using
for years), but maybe for new setups, the login_totp from base makes
more sense.
Have fun,
Daniel
No comments:
Post a Comment