If you’re one of those folks who use 2-FA (TOTP + public key authentication) with their ssh servers, and are now annoyed by the inconvenience of finding your 2-FA device when logging in to host, then I have a solution which in practise allows you to automate the login process without bypassing 2-FA, therefore rendering it slightly useless 😉.
Make sure you have
ssidin FreeBSD, from
Create a script (say,
$HOME/bin/otp-server.sh) which prompts for the password:
#!/bin/sh exec pass otp totp/example.com/root
Make sure your SSH server is configured in
ControlMastersetting. I enable
ControlMasterfor all SSH sessions so don’t need an explicit configuration of this setting for every server I log-in to:
Host * ControlMaster auto ControlPath /tmp/%r@%h:%p
Now open a SSH connection in background to your host:
% ssid env SSH_ASKPASS=$HOME/bin/otp-server.sh ssh -Nf -l root example.com % Authenticated with partial success. gpg: Warning: using insecure memory!
The connection in background is needed as we’re using
SSH_ASKPASSfeature of OpenSSH which only gets triggered when
sshprocess is detached from terminal. Now open another
sshsession based on this already opened SSH connection:
% ssh -l root example.com Last login: Sun Feb 30 42:42:42 2042 from 126.96.36.199 email@example.com [~] $
No more password prompts.
P.S. Those who would give up essential security, to purchase a little temporary convenience, deserve neither convenience nor security. 😛