How to enable TFA for SSH?

[Chiaki]

Hello everyone!
I've read several times on this forum that people are using TFA for SSH but I can't find that option.

I've configured TOTP for the root user and enforce OATH on both pam and pve realms.

Still, when I try to connect via SSH (via Putty) nothing asks me for a TOTP; username and password suffice.

What are the necessary steps to make TOTP for SSH mandatory?

Thanks in advance!

 

[fireon]

Yes this working for Default. A very good documentation about is from nomachine.

 

[Chiaki]

Hi, I don't understand your answer.

If you're saying that Proxmox should ask me for TOTP after setting it up via Web GUI when I try to connect via Putty by default: It doesn't.

Can anybody describe the necessary steps to make sure that TOTP will be required when connecting via SSH?

EDIT: You can answer in German as well, if that's easier.

 

[fireon]

You've added your question in the English part so...

TOTP from Proxmox is only for the webinterface, not for the cli. If you would like to have TOTP also for the cli follow the instruction on the link and begin at point "4.2. Example 2: use Google Authenticator" Every thing is on pve, nothing to compile.

 

[Chiaki]

Thanks for clarifying! Is there a way to reuse the secret key from the Proxmox Web GUI with libpam-google-authenticator? It doesn't look like I could force my own key =/...

 

[Chiaki]

So I tried doing it backwards: Use the key generated in google-authenticator for Proxmox Web GUI. But then I get the error:

Parameter verification failed. (400)

key: value does not match the regex pattern

My guess is that Proxmox Web GUI requires a key of shorter size. The google-authenticator generated key is longer.

So either I need to find a way to put the Proxmox Web GUI key into google-authenticator or I the Proxmox Web GUI has to accept longer TOTP secret keys.

Any ideas?

 

[Vasilij Lebedinskij]

Just update PVE. Everything works like a charm.