Mailing List Archive: (Open)SSH as a TOTP *Token*?

(Open)SSH as a TOTP *Token*?

Feb 15, 2023, 1:46 AM

Post #1 of 4 (219 views)

A quick question, if I may: Today, I heard a rumour that "ssh" can be
used as a TOTP *token* (i.e., accept or generate a secret for a
configuration and generate TOTP codes from there on out, to be entered
into some *other* software requesting them for 2FA).

All I could find on the web so far are how-tos to a) make ssh*d* request
and verify TOTP codes (usually with the help of PAM) or b) automate
passing TOTP codes into a CLI ssh (e.g., generated by Vault and injected
with sshpass).

Am I correct to assume that someone got the participants in a TOTP setup
mixed up there?

Kind regards,
--
Jochen Bern
Systemingenieur

Binect GmbH
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

(Open)SSH as a TOTP *Token*? [ In reply to ]

Jochen.Bern at binect

Feb 15, 2023, 1:46 AM

Post #2 of 4 (219 views)

Permalink

Re: (Open)SSH as a TOTP *Token*? [ In reply to ]

dtucker at dtucker

Feb 20, 2023, 4:59 AM

Post #3 of 4 (219 views)

Permalink

On Mon, 20 Feb 2023 at 20:03, Jochen Bern <Jochen.Bern@binect.de> wrote:
> A quick question, if I may: Today, I heard a rumour that "ssh" can be
> used as a TOTP *token* (i.e., accept or generate a secret for a
> configuration and generate TOTP codes from there on out, to be entered
> into some *other* software requesting them for 2FA).

I'm not aware of any way that ssh(1) can act as a TOTP (ie RFC6238 or
similar). As you point out sshd can use TOTP to authenticate via a
couple of different mechanisms that implement TOTP.

> Am I correct to assume that someone got the participants in a TOTP setup
> mixed up there?

That would be my guess. Maybe they meant openssl? That would at
least have the primitives needed to implement TOTP.

--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Re: (Open)SSH as a TOTP *Token*? [ In reply to ]

stu at spacehopper

Feb 20, 2023, 5:20 AM

Post #4 of 4 (219 views)

Permalink

On 2023/02/20 23:59, Darren Tucker wrote:
> On Mon, 20 Feb 2023 at 20:03, Jochen Bern <Jochen.Bern@binect.de> wrote:
> > A quick question, if I may: Today, I heard a rumour that "ssh" can be
> > used as a TOTP *token* (i.e., accept or generate a secret for a
> > configuration and generate TOTP codes from there on out, to be entered
> > into some *other* software requesting them for 2FA).
>
> I'm not aware of any way that ssh(1) can act as a TOTP (ie RFC6238 or
> similar). As you point out sshd can use TOTP to authenticate via a
> couple of different mechanisms that implement TOTP.
>
> > Am I correct to assume that someone got the participants in a TOTP setup
> > mixed up there?
>
> That would be my guess. Maybe they meant openssl? That would at
> least have the primitives needed to implement TOTP.

There's no support for this in the openssl command-line tool.
FWIW oathtool (in oath-toolkit) can do it, as can various password
managers (including gopass).

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev