How to setup MFA on an OpenBSD server

In a terminal prompt while logged in as root

  1. Install necessary packages
pkg_add login_oath oath_toolbox vim
  1. Generate the hex code for the authenticator
openssl rand -hex 20 > ~/.totp-key
  1. Set the correct permissions for the key
chmod 400 ~/.totp-key
  1. View the generated hex key
cat ~/.totp-key
  1. Using the key convert to base32 for your authenticator app and get the latest code to verify
oathtool --verbose --totp "HEX_KEY_HERE"
  1. Modify the login.conf file to add the following
auth-ftp-defaults:auth-ftp=passwd:
auth-ssh-defaults:auth-ssh=-totp: #ADD THIS LINE

[!INFO] Depending on what authentication class you want to modify you will need to add the following:

:tc=auth-ssh-defaults:\
  1. After making the changes you will need to update the login.conf db to reflect your changes
cap_mkdb /etc/login.conf
  1. Modify the sshd_config to use the totp code
PermitRootLogin no
PubkeyAuthentication yes
AuthorizedKeyFiles .ssh/authorized_keys
PasswordAuthentication yes
KbdInteractiveAuthentication yes
AuthenticationMethods publickey,password
Subsystem sftp /usr/libexec/sftp-server
  1. Verify that your ssh_config file is valid
sshd -t
  1. Restart sshd to finalize the changes
rcctl restart sshd

Verify the changes are working

  1. Attempt to login over ssh
ssh user@server
  1. You should be prompted to enter your ssh key’s password and after you will be prompted to enter your password

[!WARNING] Even though it says “password”, it is your otp code that is being requested ex. user@server’s password: <ENTER_CODE_HERE>

  1. Once you enter your otp code you should be logged in