I have found numerous tutorials on how to enable 2FA (TOTP, RFC 6238) but is there also a way to force SSH users to configure it on the first login? (I am using OpenSSH server)
I guess I could create a script that runs everytime and checks whether a .google_authenticator for the particular user exists and if not then runs google-authenticator until it does and then edits /etc/pam.d/sshd (uh-oh), and otherwise runs the default shell/command… but there are perhaps many unforeseen edge cases and possibilities for breaking SSH login.
So before I possibly re-invent the wheel, and do so haphazardly, does an existing solution already exist?
I would have assumed that it does since it's the norm for user-facing software, e.g. Gitlab and Gsuite come to mind, where you can force users to configure 2FA on the next login.
I am not sure if someone already wrote script for general purpose because these things sometime specific to requirement.
What I can suggest is use env files(.bashrc,.bash_profile etc) to alter your ssh/2FA etc file.
Anatomy of script will be like below: