Using OATH
Install oathtool, libpam-oath (and liboath0)
apt-get install oathtool libpam-oath
Add auth requisite to PAM sshd
root@ssh:~# head /etc/pam.d/sshd # PAM configuration for the Secure Shell service # TOTP auth requisite pam_oath.so usersfile=/etc/users.oath window=5 [...]
Create users.oath file (00 is key example)
HOTP/T30 sunkan - 00
One way to create a key can be
sunkan@ssh:~$ dd if=/dev/urandom count=100 | sha1sum aca3a5c1efd1fbb2414e131fb95916727ac250e1 -
This key can then be added to /etc/users.oath (instead of 00)
The base32 encoding is what is used by clients (like SGAuth in SailfishOS)
root@ssh:~# oathtool --totp aca3a5c1efd1fbb2414e131fb95916727ac250e1 -v Hex secret: aca3a5c1efd1fbb2414e131fb95916727ac250e1 Base32 secret: VSR2LQPP2H53EQKOCMP3SWIWOJ5MEUHB Digits: 6 Window size: 0 Step size (seconds): 30 Start time: 1970-01-01 00:00:00 UTC (0) Current time: 2016-02-06 16:42:22 UTC (1454776942) Counter: 0x2E3F014 (48492564)
More info here
http://www.nongnu.org/oath-toolkit/pam_oath.html
http://www.nongnu.org/oath-toolkit/oathtool.1.html
https://code.google.com/archive/p/mod-authn-otp/wikis/UsersFile.wiki
Using google authenticator
From this link https://www.100tb.com/blog/ssh-two-factor-authentication-with-totp-in-debianubuntu/
Securing your dedicated server or VPS is one of the most important tasks when setting it up.
When securing the Secure SHell (SSH) on your server the options for authentication often come down to a choice between allowing passwords or limiting access to only users authenticating using SSH keys. There are other options though; Linux uses a system called PAM (Pluggable Authentication Modules) in order to allow the addition of extra authentication methods. Using this technology we can add the opportunity to use Time-based One Time Passwords (TOTP) as a secondary authentication method, known as 2-factor authentication.
There are conventionally three factors available for use for authenticating a person: something they know (such as a password), something they have (such as an ID card), and something they are (biometrics such as a fingerprint or retina scan). Requiring two different factors of authentication in order to authenticate is known as 2-factor authentication. In this instance we are going to continue using something they know (a password) and add to it something they have: a TOTP, or Time-based One-time Password Algorithm, token.
So how do these tokens work?
The TOTP method was published in RFC 6238 and as such public for anyone to implement. As such there are key generation apps for most smartphone platforms, an example being FreeOTP by Red Hat, which is available for iOS and Android. When creating a new account on the app an initial key will be provided, which needs to be entered on the app. The app will subsequently create a new authentication code for the user every 30 seconds, and this code will need to be entered at login time to authenticate the user.
To use it on your server you need to install and configure Google Authenticator PAM:
sudo apt-get install libpam-google-authenticator
After installing this, SSH needs to be configured to use it. For this you need to edit the /etc/pam.d/sshd file – in my example I’m using nano, but other editors are available:
sudo nano /etc/pam.d/sshd
You need to add the following line to the start of the file, then save and exit:
auth required pam_google_authenticator.so
After adding that, we now need to tell SSH to use that module, so we will edit the /etc/ssh/sshd_config file:
sudo nano /etc/ssh/sshd_config
Now we need to find the line starting with ChallengeResponseAuthentication and set it to yes:
ChallengeResponseAuthentication yes
After saving and closing that file we are now ready to set up our account to use the TOTP authentication. So get the OTP application ready on your smartphone, as we’ll need that in a minute. Next make sure you are logged in as your user that you wish to use the OTP authentication with (in case you logged in as root to do the configuration) and run the following command:
google-authenticator
You will be asked a few questions, the main one being if you would like the authentication to be time based: we want to say yes. It will then show a QR code that can be scanned with the Google Authenticator app if you use that, along with the secret key that you can type into your OTP app to create the account on there. Next it will ask if you want to update your authenticator file. You want to say yes here or the TOTP authentication won’t be set up.
A few more questions follow, the first of which is whether you want to disallow multiple use of the same authentication token. This means that should a token be used once and you want to immediately log in again, you’ll need to wait the 30 seconds for a new token to be generated. I can’t see many situations where that 30 second wait would be a huge issue so I’d suggest saying yes to that. The next question is if you want to extend the window of validity for codes in order to log in. The default option should be fine here and allows plenty of time to slowly type a code in to use it. The final question is if you want to enable rate limiting to 3 attempts in any 30 second period. This is useful for slowing down brute force attacks against your server, so I’d recommend saying yes to this.
At last – that’s the configuration done. I’d recommend attempting to log into the server now without closing the existing login session, just in case something went wrong. It should now prompt you for your TOTP code when logging in – if it all works fine then you are done. If there was a problem then you can use the existing logged in session to disable TOTP authentication or debug the problem.
Now this is done you will always need the OTP app on your phone in order to access the server via SSH. If you are a regular phone loser/breaker you may want to note down the secret key and put it in a very safe place, such as a piece of paper in your safe or in a password safe on your computer, though recording this does drastically reduce the security given by TOTP against a determined hacker. Note that the TOTP is only required logging in via SSH so if you use IPMI on your server you will be able to gain access with just your password using the console redirection module.