Think of this as authy-ssh but for OATH [TH]OTP.
So it works:
- offline (when you’re cut of from the net but not from the machine you’re ssh:ing into)
- without sending any authentication request to an external service.
Currently the only OATH PAM module supported is Google Authenticator PAM module
but others are planned (when they arrive). See also WONTFIX
It also supports using the OTP_TOKEN
environment variable for your
token so it can be used with e.g. mosh:
$ export OTP_TOKEN=1337
$ mosh example.com
$
- Build the code:
$ make
- Put the somewhere you want it to be,
/usr/local/bin/
is nice. - In your
~/.ssh/authorized_keys
add:
command="/usr/local/bin/oath-ssh-command" ssh-rsa AAAAZOMGLOL[…]== awesome key with OTP
- ssh into your machine with that key:
$ ssh awesome-machine Verification code: 1337 $
- Since pam_oath uses one file per server which is owned by root we can’t support that (because it would force us to setuid or otherwise run as root).
- Add tests for:
- multiple keys and OTP-tokens in an hash
- Fix FIXME’s in the code
- Support HOTP
- Support these features from Google Authenticator PAM module, see:
- Support for emergency scratch codes
- Protection against replay attacks
- HOTP