Jon Williams Blog Upcoming More…

2-Factor Authentication for OpenBSD Using Google Authenticator and totp-util

22 April 2016

This post is adapted from my OpenBSD guide in the totp-util wiki.

I recently set up a semi-public OpenBSD box, and thought I could stand to lock down password logins, especially for the root user. A popular system for two-factor authentication is TOTP:

In a typical two-factor authentication application, user authentication proceeds as follows: a user enters username and password into a website or other server, generates a one-time password for the server using TOTP running locally on a smartphone or other device, and types that password into the server as well. The server then also runs TOTP to verify the entered one-time password. For this to work, the clocks of the user’s device and the server need to be roughly synchronized (the server will typically accept one-time passwords generated from timestamps that differ by ±1 time interval from the client’s timestamp). A single secret key, to be used for all subsequent authentication sessions, must have been shared between the server and the user’s device over a secure channel ahead of time. If some more steps are carried out, the user can also authenticate the server using TOTP.

I wrote totp-util to simplify the process of setting up Google Authenticator on UNIX systems.

Install utilities

npm install -g https://github.com/WIZARDISHUNGRY/totp-util 
pkg_add login_oath

User setup

Setup authentication and SSH

# Default allowed authentication styles
auth-defaults:auth=-totp-and-pwd,skey:

Edit /etc/ssh/sshd_config to force SSH logins by root to use both an ssh key and a totp/password.

Match User root
AuthenticationMethods publickey,password

Then run:

/etc/rc.d/sshd restart 
cap_mkdb /etc/login.conf

Now regular users should be able to authenticate with just SSH (or a password plus totp token) but root will need password, ssh and a 2 TOTP token.

Logging in

$ ssh root@machine   
Authenticated with partial success.
user@machine's password: 123456/password
blog comments powered by Disqus