http://mikeboers.com/blog/2011/05/28/one-time-passwords-for-ssh-on-ubuntu-and-os-x
But now, it's become even easier. Let's say you would like to use Google authenticator to login to your SSH server. All you need is to install and configure some software from standard debian packages. Here goes...
ntpdate
As we are using time-based tokens, make sure the clock is synced. Install ntpdate:# apt-get install -y ntpdate
and sync your clock:
# ntpdate klokslag.surfnet.nl
oathtool
Install:# apt-get install oathtool
You should now be able to invoke oathtool using HOTP - the sample key (from rfc 4226) yields 755224:
$ oathtool 3132333435363738393031323334353637383930
755224
For TOTP, use:
$ oathtool --totp 3132333435363738393031323334353637383930
195659
Of course, you will get a different answer because at the time of writing my clock shows 1370636289 and yours will show something different.
SSH
Edit the file /etc/ssh/sshd_config and set ChallengeResponseAuthentication to yesDon't forget to restart the ssh daemon:
# invoke-rc.d ssh restart
PAM
Next step is to configure PAM:# apt-get install libpam-oath
edit the file /etc/pam.d/sshd and replace the unix login with oath login:
auth required pam_oath.so usersfile=/etc/users.oath
Here, we'll use the test key.
# echo "HOTP/T30/6 jodi - 3132333435363738393031323334353637383930" >> /etc/users.oath
# chmod go-rw /etc/users.oath
Using Google Authenticator
Tto use an OATH token like Google Authenticator, use verbose mode to show the base32-encode secret:$ oathtool -v --totp 3132333435363738393031323334353637383930
Hex secret: 3132333435363738393031323334353637383930
Base32 secret: GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ
Digits: 6
Window size: 0
Step size (seconds): 30
Start time: 1970-01-01 00:00:00 UTC (0)
Current time: 2013-06-07 20:26:56 UTC (1370636816)
Counter: 0x2B92455 (45687893)
152112
Now, manually enter the secret in Authenticator, or scan an enrolment QR code, which you can generate using qrencode. Install using:
# apt-get install qrencode
and generate the QR code URL:
$ qrencode otpauth://totp/Debian7?secret=GEZDGNBVGY3TQOJQGEZDGNBVGY3TQOJQ -o enrol.png
The file enrol.png will look like this:
References
oath toolkit:
http://www.nongnu.org/oath-toolkit/index.html