Add one-time password authentication to your SSH server.
user@localhost:~$ ssh server
Enter passphrase for key '/home/user/.ssh/id_rsa':
One-time password: 123456
Incorrect code. Please try again.
One-time password: 653794
user@server:~$
The following instructions are based on ubuntu, but they can be adapted for other Linux distributions.
Copy ssh-otp to /usr/local/bin:
sudo mkdir -p /usr/local/bin
sudo cp ssh-otp
Add the following line in your /etc/ssh/sshd_config:
ForceCommand /usr/local/bin/ssh-otp login
And restart sshd:
sudo restart ssh
Generate one-time password secret for current user:
ssh-otp setup
You will need to set up your authenticator using the QR code link and type in the displayed code on your authenticator to actually enable one-time password authentication on SSH conneciton.
You can find the configuration file at:
~/.ssh/otp
To disable otp for the current user:
ssh-otp reset
To use commands like scp, you need to pass in the one-time password
through a OTP environment variable.
In /etc/ssh/sshd_config, add OTP to the list of AcceptEnv:
AcceptEnv OTP
On the client machine, instruct ssh to send the OTP environment by adding
the following in your ~/.ssh/config:
Host *
SendEnv OTP
Now set the OTP environment before sending the command over ssh:
OTP="123456" scp server:~/.ssh/authorized_key .