Automating SSH 2-FA prompt

Posted on

Tags: OpenSSH 2-FA google-authenticator TOTP

If you’re one of those folks who use 2-FA (TOTP + public key authentication) with their ssh servers, and are now annoyed by the inconvenience of finding your 2-FA device when logging in to host, then I have a solution which in practise allows you to automate the login process without bypassing 2-FA, therefore rendering it slightly useless 😉.

  1. Store TOTP authentication credentials in password-store with the help of pass-otp.

  2. Make sure you have setsid (or ssid in FreeBSD, from sysutils/ssid port) command.

  3. Create a script (say, $HOME/bin/otp-server.sh) which prompts for the password:

    #!/bin/sh
        
    exec pass otp totp/example.com/root
    
  4. Make sure your SSH server is configured in ssh_config(5) with ControlMaster setting. I enable ControlMaster for all SSH sessions so don’t need an explicit configuration of this setting for every server I log-in to:

    Host *
    ControlMaster auto
    ControlPath /tmp/%r@%h:%p
    
  5. Now open a SSH connection in background to your host:

    % ssid env SSH_ASKPASS=$HOME/bin/otp-server.sh ssh -Nf -l root example.com
    % Authenticated with partial success.
    gpg: Warning: using insecure memory!
    

    The connection in background is needed as we’re using SSH_ASKPASS feature of OpenSSH which only gets triggered when ssh process is detached from terminal. Now open another ssh session based on this already opened SSH connection:

    % ssh -l root example.com
    Last login: Sun Feb 30 42:42:42 2042 from 224.0.0.1
    abbe@example.com [~] $
    

    No more password prompts. w00t! 😃

Fancy!

P.S. Those who would give up essential security, to purchase a little temporary convenience, deserve neither convenience nor security. 😛