Closed alejandro-anv closed 2 years ago
It's not really that you enter the user's password, but (assuming you're using PAM) that you're triggering a PAM configuration.
sftp will trigger the sshd
pam configuration. If you don't have pam_unix.so
in that config, then it won't ask for the user's password.
But I don't recommend that you only have OTP on anything. It's just not that many possible numbers.
If you're asking how to do different PAM configs for ssh and sftp, I don't know. That's an OpenSSH and PAM question.
On a Debian system (On other distro's the locations can be different but the idea is the same)
Open /etc/pam.d/common-auth
Replace the line with #auth [success=1 default=ignore] pam_unix.so nullok
with the following
#auth [success=1 default=ignore] pam_unix.so nullok
# TOTP 2FA
auth required pam_google_authenticator.so nullok forward_pass
auth [success=1 default=ignore] pam_unix.so try_first_pass
you can omit nullok
from the pam_google_authenticator line if you want TOTP mandatory. As is accounts without the .google_authenticator file in the root of there home folder can still login with only there password.
What this does is prompt you for a password + TOTP in one single prompt For example: your password: abcde your TOTP code: 123456
you would now enter for any password prompt on your acocunt: abcde123456
I used this so solve a problem I had with pam_google_authenticator to use is with SSDM + KDE desktop login. Now all password prompt are uniform in the way they work. Hope this helps
For some programs like sftp, you can only enter the user's password. Is there any way to configure pam to use the authenticator password INSTEAD of the shadow password son you only type this code to access?