OTP (One Time Passcodes) setup allows extra control over access to device. Following setup was tested on Ubuntu Desktop 22.04 LTS only (it did NOT work on Kubuntu 22.04 - KDE Plasma has no required field for OTP code during login and fails to log in).

OTP login setup

• Package GitHub repository
• ArchWiki / Google Authenticator

1. Installs required package sudo apt install libpam-google-authenticator
2. Start OTP setup; you'll be able to scan QR code or view init vector google-authenticator
3. Open PAM settings to configure it to use libpam-google-authenticator sudo nano /etc/pam.d/common-auth
4. Append following line to end of open file - permissive mode (allow login for user without OTP setup): auth required pam_google_authenticator.so nullok Alternatively, use restrictive mode: auth required pam_google_authenticator.so
5. Append following line to end of open file then save it auth required pam_permit.so
6. Open SSH server settings to configure it to be able to use libpam-google-authenticator. If you skip this, you might not be able to log in! sudo nano /etc/ssh/sshd_config
7. Change existing setting to be this (from no to yes), unless original one is commented out then save changes KbdInteractiveAuthentication yes
8. Double-check all the changes. Command below restarts sshd to apply configuration changes. If you've made some mistake or something's changed, and you're connected remotely you've just lost access to server/will not be able to open new connection until you fix issue sudo restart sshd.service

Generating OTP using oathtool

1. Install required packages sudo apt install oathtool gnupg2
2. Create new file nano totp.sh
3. Example script content

   #!/usr/bin/env bash
   while true; do
       oathtool -b --totp "$1"
       sleep 1
   done

4. Make script executable chmod +x totp.sh
5. Start generating OTPs; store TOTP_INIT_CODE safely ./totp.sh TOTP_INIT_CODE

Last update: 2024-09-25