How to setup MFA on an OpenBSD server#

In a terminal prompt while logged in as root#

  1. Install necessary packages
1

pkg_add login_oath oath_toolbox vim
  1. Generate the hex code for the authenticator
1

openssl rand -hex 20 > ~/.totp-key
  1. Set the correct permissions for the key
1

chmod 400 ~/.totp-key
  1. View the generated hex key
1

cat ~/.totp-key
  1. Using the key convert to base32 for your authenticator app and get the latest code to verify
1

oathtool --verbose --totp "HEX_KEY_HERE"
  1. Modify the login.conf file to add the following
1
2

auth-ftp-defaults:auth-ftp=passwd:
auth-ssh-defaults:auth-ssh=-totp: #ADD THIS LINE

Depending on what authentication class you want to modify you will need to add the following:

1

:tc=auth-ssh-defaults:\
  1. After making the changes you will need to update the login.conf db to reflect your changes
1

cap_mkdb /etc/login.conf
  1. Modify the sshd_config to use the totp code
1
2
3
4
5
6
7

PermitRootLogin no
PubkeyAuthentication yes
AuthorizedKeyFiles .ssh/authorized_keys
PasswordAuthentication yes
KbdInteractiveAuthentication yes
AuthenticationMethods publickey,password
Subsystem sftp /usr/libexec/sftp-server
  1. Verify that your ssh_config file is valid
1

sshd -t
  1. Restart sshd to finalize the changes
1

rcctl restart sshd

Verify the changes are working#

  1. Attempt to login over ssh
1

ssh user@server
  1. You should be prompted to enter your ssh key’s password and after you will be prompted to enter your password

Even though it says “password”, it is your otp code that is being requested ex. user@server’s password: <ENTER_CODE_HERE>

  1. Once you enter your otp code you should be logged in
Backward Openbsd Fwknop Setup Openbsd Wireguard Setup Forward