Skip to content

Instantly share code, notes, and snippets.

@andrewlkho

andrewlkho/gist:e9a8c996c4bc1df23cd2

Last active January 21, 2025 15:44
Show Gist options
  • Save andrewlkho/e9a8c996c4bc1df23cd2 to your computer and use it in GitHub Desktop.
Save andrewlkho/e9a8c996c4bc1df23cd2 to your computer and use it in GitHub Desktop.
Download ZIP
How to secure debian with two factor authentication (TOTP/HOTP)
Raw
gistfile1.md

First, install the necesssary packages:

% apt-get install libpam-oath oathtool

Generate a key and write it to /etc/users.oath (NB the key will be in hexadecimal; if you are using Authy you will want to convert it to BASE32):

% KEY=$( head -c 1024 /dev/urandom | openssl sha1 | awk '{ print $2 }' )
% echo "HOTP/T30/6 andrewlkho - ${KEY}" >> /etc/security/users.oath
% chmod 600 /etc/users.oath

Configure use of libpam-oath in /etc/pam.d/sshd (and any other services you wish, such as sudo):

# @include common-auth
auth required pam_unix.so nullok_secure
auth required pam_permit.so
auth required pam_oath.so usersfile=/etc/security/users.oath

Note that we have excluded common-auth because otherwise it would leak information about whether or not the password is correct, as noted here.

Enable PAM in /etc/ssh/sshd_config:

Use PAM yes
ChallengeResponseAuthentication yes

Restart ssh:

% service ssh restart
@azlux
Copy link

azlux commented Jan 21, 2025 

KbdInteractiveAuthentication
Specifies whether to allow keyboard-interactive
authentication.  All authentication styles from
login.conf(5) are supported.  The default is yes.  The
argument to this keyword must be yes or no.
ChallengeResponseAuthentication is a deprecated alias for
this.

I think you need a little update

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment