Automating SSH 2-FA prompt
Posted on
Tags: OpenSSH, 2-FA, google-authenticator, TOTP
If you’re one of those folks who use 2-FA (TOTP + public key authentication) with their ssh servers, and are now annoyed by the inconvenience of finding your 2-FA device when logging in to host, then I have a solution which in practise allows you to automate the login process without bypassing 2-FA, therefore rendering it slightly useless ๐.
-
Store TOTP authentication credentials in password-store with the help of pass-otp.
-
Make sure you have
setsid
(orssid
in FreeBSD, fromsysutils/ssid
port) command. -
Create a script (say,
$HOME/bin/otp-server.sh
) which prompts for the password:
|
|
-
Make sure your SSH server is configured in
ssh_config(5)
withControlMaster
setting. I enableControlMaster
for all SSH sessions so don’t need an explicit configuration of this setting for every server I log-in to:Host * ControlMaster auto ControlPath /tmp/%r@%h:%p
-
Now open a SSH connection in background to your host:
% ssid env SSH_ASKPASS=$HOME/bin/otp-server.sh ssh -Nf -l root example.com % Authenticated with partial success. gpg: Warning: using insecure memory!
``
The connection in background is needed as we’re using
SSH_ASKPASS
feature of OpenSSH which only gets triggered whenssh
process is detached from terminal. Now open anotherssh
session based on this already opened SSH connection:% ssh -l root example.com Last login: Sun Feb 30 42:42:42 2042 from 224.0.0.1 abbe@example.com [~] $
No more password prompts.
w00t!
๐
Fancy!
P.S. Those who would give up essential security, to purchase a little temporary convenience, deserve neither convenience nor security. ๐