2-factor authentication for ssh

Shamelessly stolen here: Enable Google two-factor authentication for SSH connections on OS X and updated:

Prerequisites on the remote host:

• Xcode command line tools, Xcode
• brew working (updated, upgraded, doctored)

Other prerequisites:

• Google account and some registered mobile device (Android/iOS/Blackberry)

Install google-authenticator-libpam:

brew install autoconf automake libtool
git clone https://github.com/google/google-authenticator-libpam.git
cd google-authenticator-libpam
export LIBTOOL=glibtool
export LIBTOOLIZE=glibtoolize
autoreconf -ivf
touch AUTHORS NEWS README ChangeLog
automake --add-missing
./configure
sudo make install
sudo cp /usr/local/lib/security/pam_google_authenticator.so /usr/lib/pam/
sudo vi /etc/pam.d/sshd

Add the following line in sshd:

auth       required       pam_google_authenticator.so  nullok

Reload ssh:

sudo launchctl unload /System/Library/LaunchDaemons/ssh.plist
sudo launchctl load /System/Library/LaunchDaemons/ssh.plist

Install and configure Google Authenticator on your iPhone (or a similar device)

Set up Google Authenticator on the remote host interactively or non-interactively. Example:

google-authenticator  -t -d -r 1 -R 30 -w 21 -f

Use google-authenticator -h to sho the options.

Connect to the remote host after setting up the Google Authenticator PAM module on the remote host and Google Authenticator on your mobile device (adding the token for your user and remote host!):

ssh user@example.com
Password:    #password of user
Verification code:   #6-digit code you received on your mobile device.

To get around the error "Failed to use libqrencode to show QR code visually for scanning." install libqrencode with brew:

brew install libqrencode

and create a QR.png yourself if you don't want to create the QR code at google.com by omitting the first part of the URL and starting with otauth...:

qrencode "otpauth://totp/demo@myhost%3Fsecret%3DSECRET_KEY%26issuer%3Dmyhost" -o qr.png