I have a FreeBSD server that I like to be able to get to from anywhere. Normally I use SSH publickey to log in, or if I don't have my SSH private key available then I might use regular password over SSH. However, when logging in from an untrusted machine there's always the risk of a keylogger capturing my login password as I type it.
FreeBSD already has support for OPIE which is a one-time password scheme. This works great, but the one-time password is the only authentication needed. If I print out a list of one-time passwords to use later, then if I lose that list then that's all somebody needs.
I'd like to set up the authentication so that I need a one-time password plus something I know (a password, except not my usual login password). I have a feeling the answer has something to do with PAM (and /etc/pam.d/sshd) but I'm not certain on the details.
How can I set up authentication where two methods are required?
google authenticator maybe? I have my OpenSolaris box asking first for normal login password, then the TOTP verification code. Something like this: http://www.marzocchi.net/Olafsen/Software/Two-FactorAuthentication
To do this you have to stack the normal ’ssh_auth’ module with the ‘pam_opie‘ module using the ‘required‘ control flag.