Public-Key -or- Password & Google Authenticator for SSH Login
Solution 1:
It is definitely possible to configure an sshd
to require either a valid keypair or use HOTP (new one-time password (OTP) on each request) OATH-based authentication - I'm doing it. I'm fairly sure that Google Authenticator is just another OATH implementation.
My full writeup can be read at http://www.teaparty.net/technotes/yubikey-oath.html, but the upshot is:
Assuming your sshd
is already set up to allow public-key based authentication (most are), add these two lines to sshd_config
:
PasswordAuthentication no
ChallengeResponseAuthentication yes
Install pam_auth
(this being the CentOS-oriented way, for x86_64):
yum install pam_oath
ln -s /usr/lib64/security/pam_oath.so /lib64/security/
Make the authentication file /etc/users.oath
, mode 600
, owner root:root
, and populate it with lines like:
#type username pin start seed
HOTP fred - 123a567890123b567890123c567890123d567890
Edit /etc/pam.d/sshd
and add the line
auth required pam_oath.so usersfile=/etc/users.oath window=5 digits=8
Skip the digits=8
if you're happy with 6-digit HOTP OATH. I believe a similar method can be used for TOTP OATH (new OTP every n seconds), but I'm using hardware OATH tokens instead of software ones, and they're yubikeys, which only do HOTP OATH.
The only wrinkle is that when you ssh in without presenting a valid key, it asks for the OATH code before the password. I couldn't make it work the other way around, but decided I didn't care all that much; the prompts make it pretty clear which token is being requested.
Solution 2:
You need to append:
AuthenticationMethods publickey keyboard-interactive
without a comma between publickey
and keyboard-interactive
to /etc/ssh/sshd_config
. All other settings do not have to be altered (as long as the configuration is equal to the given howtogeek tutorial).