Ssh – How to set up two-factor authentication with OTP on FreeBSD

freebsdpampasswordSecurityssh

I have a FreeBSD hosted server that I like to be able to get to from anywhere. Normally I use SSH publickey to log in, or if I don't have my SSH private key available then I might use regular password over SSH. However, when logging in from an untrusted machine there's always the risk of a keylogger capturing my password as I type it.

FreeBSD already has support for OPIE which is a one-time password scheme. This works great, but the one-time password is the only authentication needed. If I print out a list of one-time passwords to use later, then if I lose that list then that's all somebody needs.

I'd like to set up the authentication so that I need a one-time password plus something I know (a password, except not my usual login password). I have a feeling the answer has something to do with PAM (and /etc/pam.d/sshd) but I'm not certain on the details.

How can I set up authentication where two methods are required?

Best Answer

Since you want to use a password that is something other than the one for your normal account, try security/pam_pwdfile from the ports tree.
Basically, it allows you to use an alternate file (format: username:crypted_password) to authenticate against.
To use it, put the following line in /etc/pam.d/sshd right before the line for pam_opie:

auth    required    /usr/local/lib/pam_pwdfile.so    pwdfile    /path/to/pwd/file

Related Solutions

Ssh – How to configure SSH so that OTP can be used with ssh-copy-id and then only keypair authorization is accepted

Public key authentication is turned on by default and has higher priority then password authentication (handled by PAM or directly).

You can set up in sshd_config option UsePAM yes (by default on Red Hat), which will defer authentication to PAM -- this is configured in /etc/pam.d/sshd (can differ a bit on some systems).

For OTP you can use google_authenticator, or some other open implementation of one-time passwords. There are many how-to's around here. You can try to search for two-factor authentication, but basically it is adding one line like this

 auth            required        pam_google_authenticator.so

in the /etc/pam.d/sshd and do some configuration: Arch has nice instruction for this: https://wiki.archlinux.org/index.php/Google_Authenticator

Using only one-time passwords, without the second factor can be potential risk if the one-time password or token gets lost -- I recommend you not to go this way and implement rather the two factor authentication than only one-time password.

Ssh – How to allow unauthenticated logins over ssh on FreeBSD

To allow unauthenticated login over SSH using PAM, all of the following must be configured:

The user account must have “no password” set. This is different from “empty password” and can be achieved with
```
pw usermod <user> -w none
```
In sshd_config, the following option must be set before UsePAM is set, otherwise the option is ignored:
```
PermitEmptyPasswords yes
```
In the PAM configuration file for sshd, the pam_unix module in the auth category must be loaded with the nullok option, e. g.
```
auth        required    pam_unix.so     no_warn try_first_pass nullok
```

Best Answer

Related Solutions

Ssh – How to configure SSH so that OTP can be used with ssh-copy-id and then only keypair authorization is accepted

Ssh – How to allow unauthenticated logins over ssh on FreeBSD

Related Question