[talk] 2FA on BSD (was Re: Reducing password fatigue on OpenBSD (or any BSD))

N.J. Thomas njt at ayvali.org
Tue Apr 21 10:55:29 EDT 2015


* Sujit K M <sjt.kar at gmail.com> [2015-04-21 17:14:34+0530]:
> > On a slightly tangential note, I started playing with Google
> > Authenticator recently:
> >
> >     https://github.com/google/google-authenticator/
> >
> > It's worked very well so far:
> 
> But how does it plugin to other tools. Would it run over SSH and do
> authentication on
> top of it.

For ssh, it's a PAM module. If you ssh in using a key, then it's
bypassed. But if you ssh in and a password is needed to authenticate, it
will ask for the verification code on top of that.

Observe:

    $ ssh example.org
    Password for user at example.org: [enter password here]
    Verification code: [enter TOTP here]
    Last login: Fri Apr  3 02:12:48 2015 from example.edu
    FreeBSD 10.1-RELEASE-p6 (GENERIC) #0: Tue Feb 24 19:00:21 UTC 2015

    Welcome to FreeBSD!
    [...]

The only difference from a normal ssh session is the addition of that
verification code prompt.

hth,
Thomas



More information about the talk mailing list