Comment by notpushkin
Comment by notpushkin 4 days ago
Isn’t there a way to ask for OTP after initiating the SSH session?
Comment by notpushkin 4 days ago
Isn’t there a way to ask for OTP after initiating the SSH session?
Yes, via PAM, and this works fine with OpenSSH. But the couple of OTP implementations I've used are the same, you can either provide password and PIN or passwordPIN. In the end they get concatenated, passed to the next layer, and taken apart for checks. This lets it work with brain-dead http basic auth too, if you're unlucky enough to have to use that...
Yeah, I’ve seen it in a couple places, too. (Once I’ve had to write my own wrapper for openfortivpn that did exactly that!)
One issue with this is it makes it hard for scripts to log in (this may be what you want)