Tuesday, August 29, 2023

Re: non-hardware 2fa options for openssh

Daniel Jakots <danj@chown.me> writes:

> On Tue, 29 Aug 2023 10:07:18 -0500, "mymlact@gmx.com" <mymlact@gmx.com>
> wrote:
>
>> Hi All,
>>
>> I want to secure an openssh server with two factor authentication and
>> have seen the hardware token methods, most recently i've been seeing
>> yubi/FIDO methods.
>>
>> Ideally I would like to avoid having to depend on a usb size device
>> that could easily be lost.
>
> Using something based on TOTP (Cf. rfc6238) is probably your best bet
> then.
>
>> I looked around and found mention of google authenticator as an
>> option, phones aren't much bigger than usb sticks but people protect
>> their phone as if it was their soul, but the newest mention I can
>> find is many years old.
>
> AFAIK, google authenticator is simply an app doing the math for TOTP.
> There are multiple basic opensource apps (on both Android and iphones)
> which can provide you with the right TOTP based on the seed/secret.
>
> And if you don't want to use a phone, you can use oathtool(1) from
> security/oath-toolkit.
> I think some password managers also are able to generate the TOTP.
>
>> My question is there any recent documentation / information on setting
>> up an openssh server with non-hardware based two factor
>> authentication? This does NOT have to be google authenticator, any
>> similar service will suffice.
>
> login_totp(8), login.conf(5), sshd_config(5), and maybe a couple of
> others.
>
> You can also want to look at sysutils/login_oath (which I've been using
> for years), but maybe for new setups, the login_totp from base makes
> more sense.
>

login_totp is in base?

No comments:

Post a Comment