Automating SSH 2-FA prompt

Posted on

Tags: OpenSSH, 2-FA, google-authenticator, TOTP

If you’re one of those folks who use 2-FA (TOTP + public key authentication) with their ssh servers, and are now annoyed by the inconvenience of finding your 2-FA device when logging in to host, then I have a solution which in practise allows you to automate the login process without bypassing 2-FA, therefore rendering it slightly useless ๐Ÿ˜‰.

  1. Store TOTP authentication credentials in password-store with the help of pass-otp.

  2. Make sure you have setsid (or ssid in FreeBSD, from sysutils/ssid port) command.

  3. Create a script (say, $HOME/bin/otp-server.sh) which prompts for the password:

1
2
3

#!/bin/sh
    
exec pass otp totp/example.com/root

  1. Make sure your SSH server is configured in ssh_config(5) with ControlMaster setting. I enable ControlMaster for all SSH sessions so don’t need an explicit configuration of this setting for every server I log-in to:

    Host *
ControlMaster auto
ControlPath /tmp/%r@%h:%p

  2. Now open a SSH connection in background to your host:

    % ssid env SSH_ASKPASS=$HOME/bin/otp-server.sh ssh -Nf -l root example.com
% Authenticated with partial success.
gpg: Warning: using insecure memory!

    ``

    The connection in background is needed as we’re using SSH_ASKPASS feature of OpenSSH which only gets triggered when ssh process is detached from terminal. Now open another ssh session based on this already opened SSH connection:

    % ssh -l root example.com
Last login: Sun Feb 30 42:42:42 2042 from 224.0.0.1
abbe@example.com [~] $

    No more password prompts. w00t! ๐Ÿ˜ƒ

Fancy!

P.S. Those who would give up essential security, to purchase a little temporary convenience, deserve neither convenience nor security. ๐Ÿ˜›