I have a FreeBSD hosted server that I like to be able to get to from anywhere. Normally I use SSH publickey to log in, or if I don't have my SSH private key available then I might use regular password over SSH. However, when logging in from an untrusted machine there's always the risk of a keylogger capturing my password as I type it.
FreeBSD already has support for OPIE which is a one-time password scheme. This works great, but the one-time password is the only authentication needed. If I print out a list of one-time passwords to use later, then if I lose that list then that's all somebody needs.
I'd like to set up the authentication so that I need a one-time password plus something I know (a password, except not my usual login password). I have a feeling the answer has something to do with PAM (and /etc/pam.d/sshd
) but I'm not certain on the details.
How can I set up authentication where two methods are required?
Best Answer
Since you want to use a password that is something other than the one for your normal account, try
security/pam_pwdfile
from the ports tree.Basically, it allows you to use an alternate file (format:
username:crypted_password
) to authenticate against.To use it, put the following line in
/etc/pam.d/sshd
right before the line forpam_opie
: