1

I've set up google OTP authentication and RSA key authentication on my server but it's very anoing, after some time, to type OTP from phone every time. I would like to know if there is any possibility (trought PAM or /etc/security/access.conf) to ask about OTP only at first login and after that it'll trust my machine?

Also I'll like to ask if there is any possibility to set up one OTP generator for eg. 10 linux machines?

I'm managing several machines and if you got scroll through your phone and looks for right OTP it can be problematic so I want to login only with RSA key and all other people need to use 2FA.

Improve this question
2
  • 1
    the 2FA is doing what it's supposed to. the price is a loss of convenience (or a gain of annoyance). If you don't want that, why not just use a strong key with a very long pass-phrase? Commented Jun 3, 2016 at 0:17
  • I'm managing several machines and if you got scroll through your phone and looks for right OTP it can be problematic so I want to login only with RSA key and all other people need to use 2FA. Commented Jun 3, 2016 at 11:51

1 Answer 1

Reset to default
0

If you want to use a user (or more users) that are able to login to several machines, it makes sense to use a central authentication system, that manages the tokens of the users. You may take a look at privacyIDEA, that can manage all kind of different token types and also define, which token is allowed on which machines (security levels).

As far as "dont ask me a 2nd time" is concerned. So what is your "application" you are authenticating to - is it SSH?

Improve this answer
3
  • privacyIDEA is nice solution and I defenitly need read more about it. Commented Jun 3, 2016 at 11:37
  • I've got another question because I've searching for solution to my problem and something like this (add in /etc/pam.d/sshd): "auth [success=1 default=ignore] pam_module.so accessfile=/etc/security/access-local.conf" where conf file include "+ : ALL : specific.ip.address - : ALL : ALL" so all connections from one specific address will be allow with only 1 auth method while all others will need to 2FA? My problem is if such pam module exist. Commented Jun 3, 2016 at 11:46
  • First I am not sure, if the PAM stack contains an SSH!!! client IP address. There is PAM_RHOST, but this might not be what you are looking for. I do not know of such a pam module. While privacyIDEA can do this: combine users with 2FA and only password OR allow different kind of 2FA access or password access based on client IP. Commented Jun 3, 2016 at 16:41

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.