(Open)SSH as a TOTP *Token*?

Stuart Henderson stu at spacehopper.org
Tue Feb 21 00:20:02 AEDT 2023

On 2023/02/20 23:59, Darren Tucker wrote:
> On Mon, 20 Feb 2023 at 20:03, Jochen Bern <Jochen.Bern at binect.de> wrote:
> > A quick question, if I may: Today, I heard a rumour that "ssh" can be
> > used as a TOTP *token* (i.e., accept or generate a secret for a
> > configuration and generate TOTP codes from there on out, to be entered
> > into some *other* software requesting them for 2FA).
> I'm not aware of any way that ssh(1) can act as a TOTP (ie RFC6238 or
> similar).  As you point out sshd can use TOTP to authenticate via a
> couple of different mechanisms that implement TOTP.
> > Am I correct to assume that someone got the participants in a TOTP setup
> > mixed up there?
> That would be my guess.  Maybe they meant openssl?  That would at
> least have the primitives needed to implement TOTP.

There's no support for this in the openssl command-line tool.
FWIW oathtool (in oath-toolkit) can do it, as can various password
managers (including gopass).

More information about the openssh-unix-dev mailing list