Automating SSH 2-FA prompt

Posted on

Tags: OpenSSH, 2-FA, google-authenticator, TOTP

If you’re one of those folks who use 2-FA (TOTP + public key authentication) with their ssh servers, and are now annoyed by the inconvenience of finding your 2-FA device when logging in to host, then I have a solution which in practise allows you to automate the login process without bypassing 2-FA, therefore rendering it slightly useless ๐Ÿ˜‰.

  1. Store TOTP authentication credentials in password-store with the help of pass-otp.

  2. Make sure you have setsid (or ssid in FreeBSD, from sysutils/ssid port) command.

  3. Create a script (say, $HOME/bin/ which prompts for the password:

exec pass otp totp/
  1. Make sure your SSH server is configured in ssh_config(5) with ControlMaster setting. I enable ControlMaster for all SSH sessions so don’t need an explicit configuration of this setting for every server I log-in to:

    Host *
    ControlMaster auto
    ControlPath /tmp/%r@%h:%p
  2. Now open a SSH connection in background to your host:

    % ssid env SSH_ASKPASS=$HOME/bin/ ssh -Nf -l root
    % Authenticated with partial success.
    gpg: Warning: using insecure memory!


    The connection in background is needed as we’re using SSH_ASKPASS feature of OpenSSH which only gets triggered when ssh process is detached from terminal. Now open another ssh session based on this already opened SSH connection:

    % ssh -l root
    Last login: Sun Feb 30 42:42:42 2042 from [~] $

    No more password prompts. w00t! ๐Ÿ˜ƒ


P.S. Those who would give up essential security, to purchase a little temporary convenience, deserve neither convenience nor security. ๐Ÿ˜›