Is there a way to tell the SSH daemon, "when a remote device attempts to connect via SSH, verify against authorized_keys, but if there is no key offered, accept a one-time password so the user can use ssh-copy-id to provide it for subsequent attempts"?
context:
I would like to be able to set up a linux server so that a user can SSH into the box, but I want to use RSA keypairs for authentication. I also have several devices that I want to be able to connect from, so that means providing multiple key-pairs (not a problem).
Essentially, I want to add entries to authorized_keys using OTP and ssh-copy-id, from a device that, currently would be denied access (because it hasn't presented a public key yet). I currently have to SSH in from a machine that can connect, edit the sshd_config file to allow passwords, then copy over the id with a static password, turn password authentication off and reboot the daemon. I would prefer a way to get a OTP from the system and then just use that and keep working…
Best Answer
Public key authentication is turned on by default and has higher priority then password authentication (handled by PAM or directly).
You can set up in
sshd_config
optionUsePAM yes
(by default on Red Hat), which will defer authentication to PAM -- this is configured in/etc/pam.d/sshd
(can differ a bit on some systems).For OTP you can use
google_authenticator
, or some other open implementation of one-time passwords. There are many how-to's around here. You can try to search for two-factor authentication, but basically it is adding one line like thisin the
/etc/pam.d/sshd
and do some configuration: Arch has nice instruction for this: https://wiki.archlinux.org/index.php/Google_AuthenticatorUsing only one-time passwords, without the second factor can be potential risk if the one-time password or token gets lost -- I recommend you not to go this way and implement rather the two factor authentication than only one-time password.