Use authenticator as main user password?

[alejandro-anv]

For some programs like sftp, you can only enter the user's password. Is there any way to configure pam to use the authenticator password INSTEAD of the shadow password son you only type this code to access?

[ThomasHabets]

It's not really that you enter the user's password, but (assuming you're using PAM) that you're triggering a PAM configuration.

sftp will trigger the sshd pam configuration. If you don't have pam_unix.so in that config, then it won't ask for the user's password.

But I don't recommend that you only have OTP on anything. It's just not that many possible numbers.

If you're asking how to do different PAM configs for ssh and sftp, I don't know. That's an OpenSSH and PAM question.

[codesnippy]

On a Debian system (On other distro's the locations can be different but the idea is the same)

Open /etc/pam.d/common-auth Replace the line with #auth [success=1 default=ignore] pam_unix.so nullok with the following

#auth   [success=1 default=ignore]      pam_unix.so nullok
# TOTP 2FA
auth    required                        pam_google_authenticator.so nullok forward_pass
auth    [success=1 default=ignore]      pam_unix.so try_first_pass

you can omit nullok from the pam_google_authenticator line if you want TOTP mandatory. As is accounts without the .google_authenticator file in the root of there home folder can still login with only there password.

What this does is prompt you for a password + TOTP in one single prompt For example: your password: abcde your TOTP code: 123456

you would now enter for any password prompt on your acocunt: abcde123456

I used this so solve a problem I had with pam_google_authenticator to use is with SSDM + KDE desktop login. Now all password prompt are uniform in the way they work. Hope this helps