Skip to content

An ssh command/ForceCommand like authy-ssh but for OATH [TH]OTP

Notifications You must be signed in to change notification settings

simmel/oath-ssh-command

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

75 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

oath-ssh-command

Think of this as authy-ssh but for OATH [TH]OTP.
So it works:

  • offline (when you’re cut of from the net but not from the machine you’re ssh:ing into)
  • without sending any authentication request to an external service.

Currently the only OATH PAM module supported is Google Authenticator PAM module
but others are planned (when they arrive). See also WONTFIX

It also supports using the OTP_TOKEN environment variable for your
token so it can be used with e.g. mosh:

$ export OTP_TOKEN=1337
$ mosh example.com
$

Installation

  1. Build the code:
    $ make
  2. Put the somewhere you want it to be, /usr/local/bin/ is nice.
  3. In your ~/.ssh/authorized_keys add:
    command="/usr/local/bin/oath-ssh-command" ssh-rsa AAAAZOMGLOL[…]== awesome key with OTP
  4. ssh into your machine with that key:
    $ ssh awesome-machine
    Verification code: 1337
    $

WONTFIX

  • Since pam_oath uses one file per server which is owned by root we can’t support that (because it would force us to setuid or otherwise run as root).

TODO

  • Add tests for:
    • multiple keys and OTP-tokens in an hash
  • Fix FIXME’s in the code
  • Support HOTP
  • Support these features from Google Authenticator PAM module, see:
    • Support for emergency scratch codes
    • Protection against replay attacks
    • HOTP

About

An ssh command/ForceCommand like authy-ssh but for OATH [TH]OTP

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published