Public-Key -or- Password & Google Authenticator for SSH Login

Solution 1:

It is definitely possible to configure an sshd to require either a valid keypair or use HOTP (new one-time password (OTP) on each request) OATH-based authentication - I'm doing it. I'm fairly sure that Google Authenticator is just another OATH implementation.

My full writeup can be read at http://www.teaparty.net/technotes/yubikey-oath.html, but the upshot is:

Assuming your sshd is already set up to allow public-key based authentication (most are), add these two lines to sshd_config:

PasswordAuthentication no
ChallengeResponseAuthentication yes 

Install pam_auth (this being the CentOS-oriented way, for x86_64):

yum install pam_oath
ln -s /usr/lib64/security/pam_oath.so /lib64/security/

Make the authentication file /etc/users.oath, mode 600, owner root:root, and populate it with lines like:

#type   username        pin     start seed
HOTP    fred            -       123a567890123b567890123c567890123d567890

Edit /etc/pam.d/sshd and add the line

auth required pam_oath.so usersfile=/etc/users.oath window=5 digits=8 

Skip the digits=8 if you're happy with 6-digit HOTP OATH. I believe a similar method can be used for TOTP OATH (new OTP every n seconds), but I'm using hardware OATH tokens instead of software ones, and they're yubikeys, which only do HOTP OATH.

The only wrinkle is that when you ssh in without presenting a valid key, it asks for the OATH code before the password. I couldn't make it work the other way around, but decided I didn't care all that much; the prompts make it pretty clear which token is being requested.

Solution 2:

You need to append:

AuthenticationMethods publickey keyboard-interactive

without a comma between publickey and keyboard-interactive to /etc/ssh/sshd_config. All other settings do not have to be altered (as long as the configuration is equal to the given howtogeek tutorial).