Post

Enable Time-based One-Time-Password (TOTP) on terminal logins

Posted Updated
Preview Image
By anonym0uz
2 min read
Enable Time-based One-Time-Password (TOTP) on terminal logins

Recently I discovered and learned how to configure Time-based One-Time-Password for local and remote terminal authentications. This is awesome and very useful for sensitive devices.

Installation

1

apt install libpam-google-authenticator

Compatibility

To list all services compatible with Google Authenticator, run the following command:

1

ls -m /etc/pam.d/

Output:

1
2

user@server:~# ls -m /etc/pam.d/
chfn, chpasswd, chsh, common-account, common-auth, common-password, common-session, common-session-noninteractive, cron, login, newusers, other, passwd, runuser, runuser-l, samba, su, su-l, sudo

Configuration

Run Google Authenticator:

1

google-authenticator

Output:

1
2
3
4

user@server:~# google-authenticator

Do you want authentication tokens to be time-based (y/n)

Answer y, to create TOTP tokens (time-based one-time passwords) or n, to create HOTP tokens (counter-based one-time passwords). Choose y.

Output:

1
2
3
4
5
6
7

Warning: pasting the following URL into your browser exposes the OTP secret to Google:
  https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/user@server%3Fsecret%3DRIDTERNTUFGXBEWAA6XZSPGGOQ%26issuer%3Dserver

< Displayed QR-Code >

Your new secret key is: RIDTERNTUFGXBEWAA6XZSPGGOQ
Enter code from app (-1 to skip):

Enter your confirmation code from your Authenticator-App and press Enter to continue.

Output:

1
2
3
4
5
6
7
8

Your emergency scratch codes are:
  73947498
  36703725
  55642172
  78525989
  12348980

Do you want me to update your "/user/.google_authenticator" file? (y/n)

Securly store the given scratch codes! You can use them to access your device even when you lost access to your Authenticator-App.

Enable TOTP for SSH logins

Important: If you perform the following configuration via an SSH session, be sure to maintain the existing session and test it with a second session in parallel. If the SSH daemon is misconfigured, you will no longer be able to log in.

Edit /etc/pam.d/sshd

Uncomment the @include common-auth line and add the Google Authenticator line below. Then save and close the file.

1
2
3
4
5
6

# Standard Un*x authentication.
#@include common-auth

# Google Authenticator
auth required pam_google_authenticator.so

Edit /etc/ssh/sshd_config

In this configuration file you can now set ChallengeResponseAuthentication to yes. Also check whether UsePAM is set to yes and add the AuthenticationMethods line below it. In this example, authentication via public key and one-time password is accepted.

1
2
3
4
5
6
7

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication yes

UsePAM yes
AuthenticationMethods publickey,keyboard-interactive

Restart SSH-Service

1

systemctl restart sshd.service

Troubleshooting

1

journalctl -n 100 -u sshd.service
Server Administration
debian linux server administration login ssh totp otp
This post is licensed under CC BY 4.0 by the author.