Don't use a password. Generate a passphrase-less SSH key and push it to your VM.
If you already have an SSH key, you can skip this step…
Just hit Enter for the key and both passphrases:
$ ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/home/username/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/username/.ssh/id_rsa.
Your public key has been saved in /home/username/.ssh/id_rsa.pub.
Copy your keys to the target server:
$ ssh-copy-id id@server
id@server's password:
Now try logging into the machine, with ssh 'id@server', and check-in:
.ssh/authorized_keys
Note: If you don't have .ssh dir and authorized_keys file, you need to create it first
to make sure we haven’t added extra keys that you weren’t expecting.
Finally, check to log in…
$ ssh id@server
id@server:~$
You may also want to look into using ssh-agent if you want to try keeping your keys protected with a passphrase.
Have got it working well, first did:
apt-get install libpam-google-authenticator
In /etc/pam.d/sshd I have changed/added the following lines (at the top):
# @include common-auth
auth required pam_google_authenticator.so
And in /etc/ssh/sshd_config:
ChallengeResponseAuthentication yes
UsePAM yes
AuthenticationMethods publickey,keyboard-interactive
PasswordAuthentication no
Works well and I now receive a "Verification code" prompt after authentication with public key. I am not sure how I would allow authentication with password+token OR key+token, as I have now effectively removed the password authentication method from PAM.
Using Ubuntu 14.04.1 LTS (GNU/Linux 3.8.0-19-generic x86_64) with ssh -v : OpenSSH_6.6.1p1 Ubuntu-2ubuntu2, OpenSSL 1.0.1f 6 Jan 2014
Best Answer
It is definitely possible to configure an
sshdto require either a valid keypair or use HOTP (new one-time password (OTP) on each request) OATH-based authentication - I'm doing it. I'm fairly sure that Google Authenticator is just another OATH implementation.My full writeup can be read at http://www.teaparty.net/technotes/yubikey-oath.html, but the upshot is:
Assuming your
sshdis already set up to allow public-key based authentication (most are), add these two lines tosshd_config:Install
pam_auth(this being the CentOS-oriented way, for x86_64):Make the authentication file
/etc/users.oath, mode600, ownerroot:root, and populate it with lines like:Edit
/etc/pam.d/sshdand add the lineSkip the
digits=8if you're happy with 6-digit HOTP OATH. I believe a similar method can be used for TOTP OATH (new OTP every n seconds), but I'm using hardware OATH tokens instead of software ones, and they're yubikeys, which only do HOTP OATH.The only wrinkle is that when you ssh in without presenting a valid key, it asks for the OATH code before the password. I couldn't make it work the other way around, but decided I didn't care all that much; the prompts make it pretty clear which token is being requested.