Using one-time passwords (OTPW) in SSH authentication

One-time passwords/OTPW consists of one-time password generator and PAM-integrated verification routines.

One-time passwords are generated apriori with the generator, given to the user and cryptographic hash of the generated passwords are stored in the host. When a user logs in with a one-time password, OTPW’s PAM module verifies the password, and invalidates it to prevent re-use.

## install (deb/ubuntu)
$ apt-get install otpw-bin libpam-otpw
$ vi /etc/pam.d/sshd
#@include common-auth
auth       required
session    optional

## install (arch)
$ yaourt -S otpw 
$ vi /etc/pam.d/ssh-otpw
auth sufficient
session optional
$ vi /etc/pam.d/sshd
auth      include   ssh-otpw
#auth      include   system-remote-login

## install (el/fedora)
$ yum git gcc pam-devel
$ git clone ; cd optw
$ vi Makefile
$ make ; sudo make install
# disable SELinux
$ vi /etc/selinux/config
$ vi /etc/pam.d/sshd
#auth       substack     password-auth
auth       required
session    optional

## configure sshd
$ vi /etc/ssh/sshd_config
UsePAM yes
UsePrivilegeSeparation yes
ChallengeResponseAuthentication yes
PubkeyAuthentication yes
PasswordAuthentication no
$ systemctl restart sshd

## generate passwords
# asks for a prefix to user cannot login even if list is public
$ otpw-gen > ~/temporary_password.txt
# print 'otpw_passwords' file; passwords are store in '~/.otpw'

## using
$ ssh user@remote_host
Password INDEX:
# use password in INDEX prefixed with your prefix
# if successful '~/.otpw' is updated to void used password

from otpw@xmodulo and otpw@arch/otpw@ubuntu


How to non-interactive/unattended password login to ssh (using sshpass and ssh_askpass)

  • sshpass@man is a noninteractive ssh password provider. Its an less secure alternative to public key authentication. sshpass only works if the password prompt ends in assword:.
## install
$ apt-get install sshpass | yum install sshpass (EPEL) | pacman -S sshpass

'-p PASSWORD' take password from cli
'-e' take password from SSHPASS env var

# need to disable host key checking
$ sshpass -p PASSWORD ssh -o StrictHostKeyChecking=no user@host

# rsync (and scp) over password ssh
$ SSHPASS=PASSWORD rsync --rsh='sshpass -e ssh -l user' host:path .
$ sshpass -p PASSWORD scp user@host:path .

from sshpass@cyberciti

  • ssh@man using SSH_ASKPASS. If ssh does not have a terminal associated with it but DISPLAY and SSH_ASKPASS are set, it will execute the program specified by SSH_ASKPASS and open an X11 window to read the passphrase.
$ vi
$ export DISPLAY=:0 ; export SSH_ASKPASS=`pwd`/
$ setsid ssh -o StrictHostKeyChecking=no user@host

from ssh password from stdin

How to ssh/putty without password (using public key authentication)

  • ssh-keygen@man authentication key generation, management and conversion
  • ssh-copy-id@man install your public key in a remote machine’s authorized_keys
## 1 - on the client, generates public and private keys in '~/.ssh/id_rsa{.pub,}'
$ ssh-keygen -t rsa
# private should be read-write for owner only
$ chmod 600 ~/.ssh/id_rsa 

# disable user host key database '~/.ssh/known_hosts'
$ cat ~/.ssh/config
StrictHostKeyChecking = no
UserKnownHostsFile = /dev/null

## 2 - private key to 'authorized_keys' and copy public key to the server's .ssh directory
$ cat ~/.ssh/id_rsa >> authorized_keys; scp ~/.ssh/ user@server:/home/user/.ssh
$ ssh-copy-id -i ~/.ssh/ user@server

# optionally disable StrictModes; check file modes and ownership of the users files and home directory before accepting login
$ cat /etc/ssh/sshd_config
StrictModes no
$ service sshd reload

## 3 - now say you what to login from another machine; just copy private key around
$ scp ~/.ssh/id_rsa user@another:~/.ssh/id_rsa

from using ssh-copy-id for ssh without password

#1 - generate public/private keys using a passphrase with puttygen
#2 - copy/paste public key and append it to server's '.ssh/authorized_keys'
#3 - add private key file to pagent

from Public Key Authentication With PuTTY

Also, add this to {/root,/etc/skel}/.bashrc to refrain from outputting anything in non interactive shells (scp/ssh).
We could use (pseudo-tty) -t on ssh but scp doesn’t have this option.

# This file is sourced by all *interactive* bash shells on startup,
# including some apparently interactive shells such as scp and rcp
# that can't tolerate any output.  So make sure this doesn't display
# anything or bad things will happen !

# Test for an interactive shell.  There is no need to set anything
# past this point for scp and rcp, and it's important to refrain from
# outputting anything in those cases.
if [[ $- != *i* ]] ; then
        # Shell is non-interactive.  Be done now!

from testing for interative terminal in .bashrc, bash_profile vs bashrc and Zsh/Bash startup files loading order (.bashrc, .zshrc etc.)

If you really dont want to use public key authentication and prefer user/password then try putty’s fork kitty, which supports sending password automatically

## install using
$(comspec) cinst kitty

How to mount a remote directory over ssh on Linux

sshfs is a filesystem client based on ssh, with a FUSE implementation.

# install
$ sudo apt-get install sshfs | sudo yum install sshfs (EPEL)
$ sudo usermod -a -G fuse <user_name>

# mount remote directory, asking for user and password
$ sshfs my_user@remote_host:/path/to/directory <local_mount_point>
# unmount
$ fusermount -u <local_mount_point>

# mount on boot
$ cat /etc/fstab
sshfs#my_user@remote_host:/path/to/directory <local_mount_point> fuse user 0 0

from How to mount a remote directory over ssh on Linux

How to use two factor Google authenticator (TOTP) in SSH and GDM logins

Google’s two factor adds a time-based one time token/password algorithm TOTP – Time-base One-Time Password OTP to the regular username+password authentication.

  • Client-side apps: install Android or any of the other apps.

  • Server-side install

# using pre-compiled binaries from repos
$ apt-get install libpam-google-authenticator
$ yum install google-authenticator (needs EPEL)
# alternatively, to compile see

# generate authentication key, answer yes
$ google-authenticator
# you will see a secret key and it's QR code, enter enther on your client-side app

# enable google authenticator on sshd
$ cat /etc/pam.d/sshd
auth required
$ cat /etc/ssh/sshd_config
ChallengeResponseAuthentication yes
$ service ssh restart | systemctl restart sshd

# enable google authenticator on gdm
$ cat /etc/pam.d/gdm-password
auth required

from How to set up two-factor authentication for SSH login on Linux and Secure Your Linux Desktop and SSH Login Using Two Factor Google Authenticator.

freeotp is a two-factor authentication client using one-time password protocols, from Red Hat. Supports Android and iOS. Implements ​HOTP and ​TOTP.

Since any standards-compliant HOTP or TOTP server should work with FreeOTP, there is no absolute need for the project to produce its own server-side code. See Using OTP Tokens and 2FA with FreeIPA 4.0.