OTP (One Time Passcodes) setup allows extra control over access to device. Following setup was tested on Ubuntu Desktop 22.04 LTS only (it did NOT work on Kubuntu 22.04 - KDE Plasma has no required field for OTP code during login and fails to log in).

OTP login setup

• Package GitHub repository
• ArchWiki / Google Authenticator

1. Installs required package sudo apt install libpam-google-authenticator📋
2. Start OTP setup; you'll be able to scan QR code or view init vector google-authenticator📋
3. Open PAM settings to configure it to use libpam-google-authenticator sudo nano /etc/pam.d/common-auth📋
4. Append following line to end of open file - permissive mode (allow login for user without OTP setup): auth required pam_google_authenticator.so nullok📋 Alternatively, use restrictive mode: auth required pam_google_authenticator.so📋
5. Append following line to end of open file then save it auth required pam_permit.so📋
6. Open SSH server settings to configure it to be able to use libpam-google-authenticator. If you skip this, you might not be able to log in! sudo nano /etc/ssh/sshd_config📋
7. Change existing setting to be this (from no to yes), unless original one is commented out then save changes KbdInteractiveAuthentication yes📋
8. Double-check all the changes. Command below restarts sshd to apply configuration changes. If you've made some mistake or something's changed, and you're connected remotely you've just lost access to server/will not be able to open new connection until you fix issue sudo restart sshd.service📋

Generating OTP using oathtool

1. Install required packages sudo apt install oathtool gnupg2📋
2. Create new file nano totp.sh📋
3. Example script content

   #!/usr/bin/env bash
   while true; do
       oathtool -b --totp "$1"
       sleep 1
   done📋

4. Make script executable chmod +x totp.sh📋
5. Start generating OTPs; store TOTP_INIT_CODE safely ./totp.sh TOTP_INIT_CODE📋