On Tue, Jun 23, 2015 at 8:49 AM, Helmut Jarausch <jarau...@skynet.be> wrote: > Hi, > > I'd like to log into my Gentoo system from my smartphone. > But I don't trust Google (Android's parents). > Therefore I need a OTP solution for loggin into my Gentoo system. > > Can anybody recommend a solution? >
You'll laugh at the irony, but my /etc/pam.d/sshd: auth include system-remote-login auth required pam_google_authenticator.so account include system-remote-login password include system-remote-login session include system-remote-login The Google Authenticator PAM module comes from sys-auth/google-authenticator, and accepts OTPs from the Google Authenticator app, or any other app that uses the same algorithm (which is fairly standard I believe). It is FOSS, and doesn't give Google access to anything. That one line is all it takes to block anybody not using an OTP from logging in. To actually set the key for an account there is a utility that will generate a key and give you the seed for your OTP generator. It stores a file in your home directory with the seed, which the PAM module reads. It is very simple to set up, and very effective. Note that public key authentication with sshd normally bypasses PAM and doesn't require the code - I don't know offhand if you can have both. -- Rich
