1

I have found numerous tutorials on how to enable 2FA (TOTP, RFC 6238) but is there also a way to force SSH users to configure it on the first login? (I am using OpenSSH server)

I guess I could create a script that runs everytime and checks whether a .google_authenticator for the particular user exists and if not then runs google-authenticator until it does and then edits /etc/pam.d/sshd (uh-oh), and otherwise runs the default shell/command… but there are perhaps many unforeseen edge cases and possibilities for breaking SSH login.

So before I possibly re-invent the wheel, and do so haphazardly, does an existing solution already exist?

I would have assumed that it does since it's the norm for user-facing software, e.g. Gitlab and Gsuite come to mind, where you can force users to configure 2FA on the next login.

phk
  • 65
  • 9

1 Answers1

1

I am not sure if someone already wrote script for general purpose because these things sometime specific to requirement.

What I can suggest is use env files(.bashrc,.bash_profile etc) to alter your ssh/2FA etc file.

Anatomy of script will be like below:

if <check 2fa file setup exists>
    # execute this if found
    # or continue
else
    # setup 2FA and exit for next login.
asktyagi
  • 2,401
  • 1
  • 5
  • 19
  • Wouldn't one be able to just overwrite the script or break out of it? – fuero Feb 14 '22 at 06:50
  • No one can do if it handled properly, just for hint trap the exit signal in script so no one can break. Also above thing can't handle with scale using IaaS tool usage is recommended. – asktyagi Feb 14 '22 at 07:07
  • Hm… you could do `ssh [target] bash --noprofile --norc` (or similar) unless `ForceCommand` or `command=` inside `authorized_keys` is used. But then, the setup itself is not meant as a security feature. Also this way, it would not break `scp` or `sshfs`. But on the other hand I would want to protect those `ssh` accounts used for non-interactive stuff as well… the more I think about it, the harder this problem appears. Anyway, thank you. – phk Feb 14 '22 at 18:05