src.dualinventive.com/devops/ansible/files/mg01/README_2FA.md

http://www.nongnu.org/oath-toolkit/pam_oath.html

First, install the necesssary packages:

% apt-get install libpam-oath oathtool

Generate a key and write it to /etc/users.oath (NB the key will be in hexadecimal; if you are using Authy you will want to convert it to BASE32):

% KEY=$( head -c 1024 /dev/urandom | openssl sha1 | awk '{ print $2 }' )
% echo "HOTP/T30/6 andrewlkho - ${KEY}" >> /etc/security/users.oath
% chmod 600 /etc/users.oath

Configure use of libpam-oath in /etc/pam.d/sshd (and any other services you wish, such as sudo):

# @include common-auth
auth required pam_unix.so nullok_secure
auth required pam_permit.so
auth required pam_oath.so usersfile=/etc/security/users.oath

Note that we have excluded common-auth because otherwise it would leak information about whether or not the password is correct, as noted here.

Enable PAM in /etc/ssh/sshd_config:

Use PAM yes
ChallengeResponseAuthentication yes

Restart ssh:

% service ssh restart