30 lines
1.1 KiB
Markdown
30 lines
1.1 KiB
Markdown
http://www.nongnu.org/oath-toolkit/pam_oath.html
|
|
|
|
First, install the necesssary packages:
|
|
|
|
% apt-get install libpam-oath oathtool
|
|
|
|
Generate a key and write it to `/etc/users.oath` (NB the key will be in hexadecimal; if you are using [Authy](https://www.authy.com) you will want to convert it to BASE32):
|
|
|
|
% KEY=$( head -c 1024 /dev/urandom | openssl sha1 | awk '{ print $2 }' )
|
|
% echo "HOTP/T30/6 andrewlkho - ${KEY}" >> /etc/security/users.oath
|
|
% chmod 600 /etc/users.oath
|
|
|
|
Configure use of libpam-oath in `/etc/pam.d/sshd` (and any other services you wish, such as sudo):
|
|
|
|
# @include common-auth
|
|
auth required pam_unix.so nullok_secure
|
|
auth required pam_permit.so
|
|
auth required pam_oath.so usersfile=/etc/security/users.oath
|
|
|
|
Note that we have excluded common-auth because otherwise it would leak information about whether or not the password is correct, as noted [here](http://mikeboers.com/blog/2011/05/28/one-time-passwords-for-ssh-on-ubuntu-and-os-x).
|
|
|
|
Enable PAM in `/etc/ssh/sshd_config`:
|
|
|
|
Use PAM yes
|
|
ChallengeResponseAuthentication yes
|
|
|
|
Restart ssh:
|
|
|
|
% service ssh restart
|