Daniel Jakots <d...@chown.me> writes:
> On Tue, 29 Aug 2023 10:07:18 -0500, "myml...@gmx.com" <myml...@gmx.com> > wrote: > >> Hi All, >> >> I want to secure an openssh server with two factor authentication and >> have seen the hardware token methods, most recently i've been seeing >> yubi/FIDO methods. >> >> Ideally I would like to avoid having to depend on a usb size device >> that could easily be lost. > > Using something based on TOTP (Cf. rfc6238) is probably your best bet > then. > >> I looked around and found mention of google authenticator as an >> option, phones aren't much bigger than usb sticks but people protect >> their phone as if it was their soul, but the newest mention I can >> find is many years old. > > AFAIK, google authenticator is simply an app doing the math for TOTP. > There are multiple basic opensource apps (on both Android and iphones) > which can provide you with the right TOTP based on the seed/secret. > > And if you don't want to use a phone, you can use oathtool(1) from > security/oath-toolkit. > I think some password managers also are able to generate the TOTP. > >> My question is there any recent documentation / information on setting >> up an openssh server with non-hardware based two factor >> authentication? This does NOT have to be google authenticator, any >> similar service will suffice. > > login_totp(8), login.conf(5), sshd_config(5), and maybe a couple of > others. > > You can also want to look at sysutils/login_oath (which I've been using > for years), but maybe for new setups, the login_totp from base makes > more sense. > login_totp is in base?