OpenBSD & OTP

Page content

i don’t like ssh & password authentication. but sometime, specially during setup or recovery, it’s need and make sense. thought i’ll protect some boxes with otp. here a few notes and instrucations

Build login_otp

git clone https://github.com/reyk/login_otp
cd login_otp
make obj
make all
doas make install

Initialize OTP DB

doas otp -i

Generate Key for User

otp -g
Name: stoege
Key:  xxxx xxxx xxxx xxxx xxxx xxxx xx
URL:  otpauth://totp/stoege?secret=xxxxxxxxxxxxxxxxxxxxxxxxxx&issuer=&algorithm=SHA1&digits=6&period=30

Build QR Code

echo "otpauth://totp/stoege?secret=xxxxxxxxxxxxxxxxxxxxxxxxxx&issuer=&algorithm=SHA1&digits=6&period=30" |qrencode -t ansiutf8

and scan the code with the google authenticator (or similar app)

globally enable OTP in Login.conf

doas sed -i 's/^auth-defaults:auth=.*/auth-defaults:auth=otp,skey/' /etc/login.conf

globally disable OTP in Login.conf

doas sed -i 's/^auth-defaults:auth=.*/auth-defaults:auth=passwd,skey/' /etc/login.conf

Test Login

stoege@puffy $ ssh localhost
(stoege@localhost) OTP+ password for "stoege":

enter OTP & Password (123456mysecret) and you’re in

tail /var/log/authlog

Sep 16 16:47:43 puffy-otp sshd[19914]: Accepted keyboard-interactive/bsdauth for stoege from 127.0.0.1 port 34892 ssh2

while a standart ssh authentication with password looks like

Sep 16 16:53:18 puffy-std sshd[8997]: Accepted password for stoege from 127.0.0.1 port 25969 ssh

Show next Valid OTP

otp -t

remove OTP for a User

otp -r

looks like when you enabled otp in /etc/login.conf, every user needs a valid OTP for Login with Password!

wrapper: install_otp.sh

a little wrapper script for OpenBSD (what else … ;)

cat << 'EOF' > install_otp.sh
#!/usr/bin/env bash

# OTP Wrapper, v1.0, 2022-09-17, @stoege

# cwd
cd ~

info() {
cat << EOF

** $(date +"%Y-%m-%d %H:%M:%S"): $1 **
EOF
}

showhelp() {
cat << EOF

usage: $0 -h|-i|-d|-e|-g|-s

          -h: help
          -i: install
          -d: disable
          -e: enable
          -g: generate (key)
          -s: show (key)
          -r: remove (key)

EOF
exit 1
}

install() {
  git clone https://github.com/reyk/login_otp
  cd login_otp
  make obj
  make all
  doas make install
}

setupdb() {
  doas otp -i
}

genkey() {
  test -f /usr/local/bin/qrencode || doas install libqrencode
  echo
  key=$(otp -g |tee /dev/tty)
  echo
  echo $key |sed 's/.*otpauth/otpauth/' |sed "s/.secret/@$(hostname)\?secret/" |qrencode -t ansiutf8
  echo
}

showkey() {
  otp -t
}

delkey() {
  otp -r
}

enableotp() {
  doas sed -i 's/^auth-defaults:auth=.*/auth-defaults:auth=otp,skey/' /etc/login.conf
  info "OTP Enabled"
}

disableotp() {
  doas sed -i 's/^auth-defaults:auth=.*/auth-defaults:auth=passwd,skey/' /etc/login.conf
  info "OTP Disabled"
}

showinfo() {
if [[ $(fgrep otp /etc/login.conf) ]]; then
cat << 'EOF'

OTP is ENABLED ! to disably it globally, run:
doas sed -i 's/^auth-defaults:auth=.*/auth-defaults:auth=passwd,skey/' /etc/login.conf

EOF

else
cat << 'EOF'

OTP is DISABLED! to enable it globally, run:
doas sed -i 's/^auth-defaults:auth=.*/auth-defaults:auth=otp,skey/' /etc/login.conf; otp -g; otp -t

EOF
fi
}


if [[ "$1" == "-h" ]]; then
  showhelp
elif [[ "$1" == "-i" ]]; then
  test -f /usr/libexec/auth/login_totp && info "already installed!" || install
  test -f /etc/otp && info "otp db already initialized" || setupdb
  showinfo
elif [[ "$1" == "-d" ]]; then
  disableotp
elif [[ "$1" == "-e" ]]; then
  enableotp
elif [[ "$1" == "-g" ]]; then
  genkey
elif [[ "$1" == "-r" ]]; then
  delkey
elif [[ "$1" == "-s" ]]; then
  showkey
else
  showhelp
fi

echo
exit 0
EOF

chmod 700 install_otp.sh

sha256: 24b84876a6e54cc70d675511a186cea9963e0fea2f42a862abb5927e0f6ca749