How do I configure SSH so that OTP can be used with ssh-copy-id and then only keypair authorization is accepted?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP












5















Is there a way to tell the SSH daemon, "when a remote device attempts to connect via SSH, verify against authorized_keys, but if there is no key offered, accept a one-time password so the user can use ssh-copy-id to provide it for subsequent attempts"?



context:
I would like to be able to set up a linux server so that a user can SSH into the box, but I want to use RSA keypairs for authentication. I also have several devices that I want to be able to connect from, so that means providing multiple key-pairs (not a problem).



Essentially, I want to add entries to authorized_keys using OTP and ssh-copy-id, from a device that, currently would be denied access (because it hasn't presented a public key yet). I currently have to SSH in from a machine that can connect, edit the sshd_config file to allow passwords, then copy over the id with a static password, turn password authentication off and reboot the daemon. I would prefer a way to get a OTP from the system and then just use that and keep working...










share|improve this question
























  • You might want to write a PAM module for SSH that gets run if key auth fails. PAM is generally how you configure alternative auth mechanisms; that having been said, I don't know if there's already a better way out there, so I'm not giving that as an answer.

    – Parthian Shot
    Jul 29 '15 at 18:11
















5















Is there a way to tell the SSH daemon, "when a remote device attempts to connect via SSH, verify against authorized_keys, but if there is no key offered, accept a one-time password so the user can use ssh-copy-id to provide it for subsequent attempts"?



context:
I would like to be able to set up a linux server so that a user can SSH into the box, but I want to use RSA keypairs for authentication. I also have several devices that I want to be able to connect from, so that means providing multiple key-pairs (not a problem).



Essentially, I want to add entries to authorized_keys using OTP and ssh-copy-id, from a device that, currently would be denied access (because it hasn't presented a public key yet). I currently have to SSH in from a machine that can connect, edit the sshd_config file to allow passwords, then copy over the id with a static password, turn password authentication off and reboot the daemon. I would prefer a way to get a OTP from the system and then just use that and keep working...










share|improve this question
























  • You might want to write a PAM module for SSH that gets run if key auth fails. PAM is generally how you configure alternative auth mechanisms; that having been said, I don't know if there's already a better way out there, so I'm not giving that as an answer.

    – Parthian Shot
    Jul 29 '15 at 18:11














5












5








5








Is there a way to tell the SSH daemon, "when a remote device attempts to connect via SSH, verify against authorized_keys, but if there is no key offered, accept a one-time password so the user can use ssh-copy-id to provide it for subsequent attempts"?



context:
I would like to be able to set up a linux server so that a user can SSH into the box, but I want to use RSA keypairs for authentication. I also have several devices that I want to be able to connect from, so that means providing multiple key-pairs (not a problem).



Essentially, I want to add entries to authorized_keys using OTP and ssh-copy-id, from a device that, currently would be denied access (because it hasn't presented a public key yet). I currently have to SSH in from a machine that can connect, edit the sshd_config file to allow passwords, then copy over the id with a static password, turn password authentication off and reboot the daemon. I would prefer a way to get a OTP from the system and then just use that and keep working...










share|improve this question
















Is there a way to tell the SSH daemon, "when a remote device attempts to connect via SSH, verify against authorized_keys, but if there is no key offered, accept a one-time password so the user can use ssh-copy-id to provide it for subsequent attempts"?



context:
I would like to be able to set up a linux server so that a user can SSH into the box, but I want to use RSA keypairs for authentication. I also have several devices that I want to be able to connect from, so that means providing multiple key-pairs (not a problem).



Essentially, I want to add entries to authorized_keys using OTP and ssh-copy-id, from a device that, currently would be denied access (because it hasn't presented a public key yet). I currently have to SSH in from a machine that can connect, edit the sshd_config file to allow passwords, then copy over the id with a static password, turn password authentication off and reboot the daemon. I would prefer a way to get a OTP from the system and then just use that and keep working...







ssh






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Jan 13 at 22:00









Rui F Ribeiro

39.7k1479132




39.7k1479132










asked Jul 29 '15 at 17:35









kvorakkvorak

261




261












  • You might want to write a PAM module for SSH that gets run if key auth fails. PAM is generally how you configure alternative auth mechanisms; that having been said, I don't know if there's already a better way out there, so I'm not giving that as an answer.

    – Parthian Shot
    Jul 29 '15 at 18:11


















  • You might want to write a PAM module for SSH that gets run if key auth fails. PAM is generally how you configure alternative auth mechanisms; that having been said, I don't know if there's already a better way out there, so I'm not giving that as an answer.

    – Parthian Shot
    Jul 29 '15 at 18:11

















You might want to write a PAM module for SSH that gets run if key auth fails. PAM is generally how you configure alternative auth mechanisms; that having been said, I don't know if there's already a better way out there, so I'm not giving that as an answer.

– Parthian Shot
Jul 29 '15 at 18:11






You might want to write a PAM module for SSH that gets run if key auth fails. PAM is generally how you configure alternative auth mechanisms; that having been said, I don't know if there's already a better way out there, so I'm not giving that as an answer.

– Parthian Shot
Jul 29 '15 at 18:11











1 Answer
1






active

oldest

votes


















2














Public key authentication is turned on by default and has higher priority then password authentication (handled by PAM or directly).



You can set up in sshd_config option UsePAM yes (by default on Red Hat), which will defer authentication to PAM -- this is configured in /etc/pam.d/sshd (can differ a bit on some systems).



For OTP you can use google_authenticator, or some other open implementation of one-time passwords. There are many how-to's around here. You can try to search for two-factor authentication, but basically it is adding one line like this



 auth required pam_google_authenticator.so


in the /etc/pam.d/sshd and do some configuration: Arch has nice instruction for this: https://wiki.archlinux.org/index.php/Google_Authenticator



Using only one-time passwords, without the second factor can be potential risk if the one-time password or token gets lost -- I recommend you not to go this way and implement rather the two factor authentication than only one-time password.






share|improve this answer






















    Your Answer








    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "106"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













    draft saved

    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f219097%2fhow-do-i-configure-ssh-so-that-otp-can-be-used-with-ssh-copy-id-and-then-only-ke%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    2














    Public key authentication is turned on by default and has higher priority then password authentication (handled by PAM or directly).



    You can set up in sshd_config option UsePAM yes (by default on Red Hat), which will defer authentication to PAM -- this is configured in /etc/pam.d/sshd (can differ a bit on some systems).



    For OTP you can use google_authenticator, or some other open implementation of one-time passwords. There are many how-to's around here. You can try to search for two-factor authentication, but basically it is adding one line like this



     auth required pam_google_authenticator.so


    in the /etc/pam.d/sshd and do some configuration: Arch has nice instruction for this: https://wiki.archlinux.org/index.php/Google_Authenticator



    Using only one-time passwords, without the second factor can be potential risk if the one-time password or token gets lost -- I recommend you not to go this way and implement rather the two factor authentication than only one-time password.






    share|improve this answer



























      2














      Public key authentication is turned on by default and has higher priority then password authentication (handled by PAM or directly).



      You can set up in sshd_config option UsePAM yes (by default on Red Hat), which will defer authentication to PAM -- this is configured in /etc/pam.d/sshd (can differ a bit on some systems).



      For OTP you can use google_authenticator, or some other open implementation of one-time passwords. There are many how-to's around here. You can try to search for two-factor authentication, but basically it is adding one line like this



       auth required pam_google_authenticator.so


      in the /etc/pam.d/sshd and do some configuration: Arch has nice instruction for this: https://wiki.archlinux.org/index.php/Google_Authenticator



      Using only one-time passwords, without the second factor can be potential risk if the one-time password or token gets lost -- I recommend you not to go this way and implement rather the two factor authentication than only one-time password.






      share|improve this answer

























        2












        2








        2







        Public key authentication is turned on by default and has higher priority then password authentication (handled by PAM or directly).



        You can set up in sshd_config option UsePAM yes (by default on Red Hat), which will defer authentication to PAM -- this is configured in /etc/pam.d/sshd (can differ a bit on some systems).



        For OTP you can use google_authenticator, or some other open implementation of one-time passwords. There are many how-to's around here. You can try to search for two-factor authentication, but basically it is adding one line like this



         auth required pam_google_authenticator.so


        in the /etc/pam.d/sshd and do some configuration: Arch has nice instruction for this: https://wiki.archlinux.org/index.php/Google_Authenticator



        Using only one-time passwords, without the second factor can be potential risk if the one-time password or token gets lost -- I recommend you not to go this way and implement rather the two factor authentication than only one-time password.






        share|improve this answer













        Public key authentication is turned on by default and has higher priority then password authentication (handled by PAM or directly).



        You can set up in sshd_config option UsePAM yes (by default on Red Hat), which will defer authentication to PAM -- this is configured in /etc/pam.d/sshd (can differ a bit on some systems).



        For OTP you can use google_authenticator, or some other open implementation of one-time passwords. There are many how-to's around here. You can try to search for two-factor authentication, but basically it is adding one line like this



         auth required pam_google_authenticator.so


        in the /etc/pam.d/sshd and do some configuration: Arch has nice instruction for this: https://wiki.archlinux.org/index.php/Google_Authenticator



        Using only one-time passwords, without the second factor can be potential risk if the one-time password or token gets lost -- I recommend you not to go this way and implement rather the two factor authentication than only one-time password.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Jul 29 '15 at 19:13









        JakujeJakuje

        16.3k53153




        16.3k53153



























            draft saved

            draft discarded
















































            Thanks for contributing an answer to Unix & Linux Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f219097%2fhow-do-i-configure-ssh-so-that-otp-can-be-used-with-ssh-copy-id-and-then-only-ke%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown






            Popular posts from this blog

            How to check contact read email or not when send email to Individual?

            Displaying single band from multi-band raster using QGIS

            How many registers does an x86_64 CPU actually have?