{"id":13652,"date":"2020-11-02T13:29:58","date_gmt":"2020-11-02T12:29:58","guid":{"rendered":"https:\/\/www.credativ.de\/blog\/credativ-inside\/two-factor-authentication-for-openssh-and-openvpn\/"},"modified":"2020-11-02T13:29:58","modified_gmt":"2020-11-02T12:29:58","slug":"two-factor-authentication-for-openssh-and-openvpn","status":"publish","type":"post","link":"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/two-factor-authentication-for-openssh-and-openvpn\/","title":{"rendered":"Two-Factor Authentication for OpenSSH and OpenVPN"},"content":{"rendered":"

Authentication using username and password still represents the standard procedure for most applications to authenticate to a service. However, the use of a second factor is becoming increasingly widespread and is even recommended<\/a> by the BSI, the German Federal Office for Information Security. While not mandatory, various web services at least offer the option to enable two-factor authentication (2FA) for a user account. <\/p>\n

However, not only the security of web services can be enhanced using 2FA\u2014classic services such as SSH also allow the use of a second factor alongside the usual authentication methods such as passwords or certificates.<\/p>\n

Methods<\/h2>\n

The most widely used method for one-time passwords as a second factor is probably TOTP, the Time-Based One-Time Password. The method is standardized in RFC6238<\/a> and is sometimes also known as Google Authenticator<\/em>. <\/p>\n

With TOTP, a numeric one-time password<\/em> (OTP) valid for a short period is calculated from the current time and the shared secret<\/em>, a secret known to both the service and the user.<\/p>\n

Typically\u2014and fixed in the case of Google Authenticator\u2014the password consists of 6 digits and has a validity period of 30 seconds. However, the standard also provides for other lengths and time periods. <\/p>\n

For calculating the OTP, there are CLI applications such as oathtool<\/code> as well as GUI applications such as KeePassXC<\/code> or smartphone apps such as AndOTP<\/code>.<\/p>\n

Setup<\/h2>\n

PAM (Pluggable Authentication Modules) is a collection of libraries that allows applications and services to delegate user authentication instead of having to implement it themselves. For this purpose, the messages exchanged during authentication between PAM and the user are forwarded through the application to the respective recipient. <\/p>\n

During this conversation, PAM processes the modules configured in the application’s service file, in which the respective authentication methods are implemented. PAM ultimately reports only success or failure of the authentication to the application itself. <\/p>\n

To use one-time passwords under Linux, the PAM module pam_oath<\/code><\/a> is recommended. All services that use PAM<\/a> to authenticate their users can thus be easily extended with two-factor authentication functionality. These include not only system internals such as login<\/code>, su<\/code>, or sudo<\/code>, but also network-accessible services such as SSH<\/code> or OpenVPN<\/code>. <\/p>\n

Depending on the distribution used, the PAM module is located in the package libpam-oath<\/code> (Debian etc.) or pam_oath<\/code> (CentOS etc.) and can be installed from the official sources.<\/p>\n

PAM<\/h2>\n

To set up TOTP for SSH, the corresponding PAM service file<\/a> must be modified. This is located at \/etc\/pam.d\/sshd<\/code>. <\/p>\n

This file is approximately 50 lines long and describes, among other things, how a user’s identity can be verified when logging in via SSH and what environment is created before calling their login shell.<\/p>\n

The exact function of the individual entries would exceed the scope of this article. The only line of interest for setting up TOTP is <\/p>\n

@include common-auth<\/pre>\n
This adopts the default system behavior defined in the service file \/etc\/pam.d\/common-auth<\/code>: using the module pam_unix<\/code>, the user’s password is compared with that in \/etc\/shadow<\/code>.<\/p>\n
To require verification of an OTP using pam_oath<\/code>, the following line is added directly below the above @include<\/code> directive:<\/p>\n
auth required pam_oath.so usersfile=\/etc\/users.oath digits=6 window=2<\/pre>\n
The parameter usersfile<\/code> refers to a file in which the users’ shared secrets are stored, digits=6<\/code> sets the length of the OTP to 6 digits.<\/p>\n
Using window=2<\/code> enlarges the window of allowed OTPs. With a window size of 2, in addition to the currently valid OTP, the passwords from the previous and next time period are also valid. While a window size of 0 only allows the current OTP, an increasing number allows one more future and one more past password respectively. Additional parameters can be found in the module’s documentation<\/a>.   <\/p>\n
The structure<\/a> of the usersfile<\/em> follows the *NIX tradition<\/a>: each line represents an entry containing multiple fields separated by one or more spaces. While an entry can contain up to nine fields, only the first four are relevant when setting up a new user. They contain, in order: the method used, the username, an optional PIN, and in the last field the shared secret.  <\/p>\n
The RFC recommends a 160-bit (i.e., 20-byte) random number as the shared secret. This can easily be created using the openssl<\/code> program: <\/p>\n
$ openssl rand -hex 20<\/pre>\n
The output is the 40-character Base16<\/a>-encoded representation of the randomly generated string, for example e2e36e1f3010bba83fed4118244f85be1cbb23fd<\/em>.<\/p>\n
To append an entry for the user alice<\/em> using the TOTP<\/em> method with a validity period of 30 seconds to the usersfile, the following command line can be used. The call to openssl contained in $()<\/code> is replaced by its output, the 20-byte shared secret. <\/p>\n
$ echo \"HOTP\/T30 alice - $(openssl rand -hex 20)\" | tee -a \/etc\/users.oath<\/pre>\n
The program tee<\/code> outputs the generated entry including the shared secret on the command line and also appends it as an additional line to the usersfile \/etc\/users.oath<\/code>:<\/p>\n
$ echo \"HOTP\/T30 alice - $(openssl rand -hex 20)\" | tee -a \/etc\/users.oath\nHOTP\/T30 alice - e2e36e1f3010bba83fed4118244f85be1cbb23fd<\/pre>\n
SSH<\/h3>\n
An OpenSSH configured with default settings authenticates users using the built-in  PasswordAuthentication<\/code>. To use PAM, this must be disabled and ChallengeResponseAuthentication<\/code> enabled instead. Authentication via PAM is then activated using the parameter UsePAM<\/code>. <\/p>\n
The configuration file \/etc\/ssh\/sshd_config<\/code> must therefore contain the following lines:<\/p>\n
PasswordAuthentication no\nChallengeResponseAuthentication yes\nUsePAM yes<\/pre>\n
Demo<\/h4>\n
Due to the changes to the OpenSSH configuration, the prompt that requests password entry during connection establishment has changed.<\/p>\n
The PasswordAuthentication<\/em> built into OpenSSH displayed the username and hostname used for the connection in the prompt.<\/p>\n
alice@local$ ssh alice@192.0.2.1\nalice@192.0.2.1's password:\nalice@remote$<\/pre>\n
After switching to PAM using ChallengeResponseAuthentication<\/em>, the input prompt of the respective PAM module is displayed: first pam_unix<\/em>, then pam_oath<\/em>.<\/p>\n
alice@local$ ssh alice@192.0.2.1\nPassword:\nOne-time password (OATH) for `alice':\nalice@remote$<\/pre>\n
OpenVPN<\/h3>\n
OpenVPN classically authenticates users via certificates validated by a trusted, often local, CA. However, during the connection establishment process, it is also possible to query a username and associated password on the client side and verify them on the server side. <\/p>\n
To add 2FA to an existing OpenVPN installation, only a few changes to the configuration files are required.<\/p>\n
To enable OpenVPN to delegate authentication of the username and password to PAM, the PAM plugin included in the standard installation is entered in the server’s OpenVPN configuration:<\/p>\n
plugin \/usr\/lib\/openvpn\/openvpn-plugin-auth-pam.so openvpn<\/pre>\n
The parameter openvpn<\/code> corresponds to the name of the PAM service file in \/etc\/pam.d\/<\/code>, which must be newly created:<\/p>\n
auth required pam_oath.so usersfile=\/etc\/users.oath digits=6 window=2\n@include common-account<\/pre>\n
If there are no user accounts on the machine running the OpenVPN service, their existence check can be skipped with a modified service file:<\/p>\n
auth required pam_oath.so usersfile=\/etc\/users.oath digits=6 window=2\naccount required pam_permit.so<\/pre>\n
The module pam_permit<\/code> always returns success<\/em>. Since it is the only specified module of type auth<\/em>, only its result is evaluated. <\/p>\n
On the client side, only the following line needs to be added to the configuration so that the user is prompted for their username and (one-time) password during connection establishment:<\/p>\n
auth-user-pass<\/pre>\n
If the connection is configured on the client side via a GUI such as NetworkManager, under Connection type<\/em>, instead of the usual setting Certificates (TLS)<\/em>, the entry Password with certificates (TLS)<\/em> must be selected. Under Username<\/em>, the username to be used is entered, but the Password<\/em> field remains empty; the option Ask for this password every time<\/em> must be selected there. <\/p>\n
Demo<\/h4>\n
After adjusting the configuration on the client, the user is prompted to enter a username and the associated OTP during the TLS negotiation of the connection establishment, immediately after certificate verification.<\/p>\n
# openvpn client.conf\n...\nEnter Auth Username: alice\nEnter Auth Password: ******\n...<\/pre>\n
Even when using NetworkManager, the user is prompted for the current one-time password during connection establishment.<\/p>\n
\"IMG<\/a>
OTP query during connection establishment<\/figcaption><\/figure>\n
Calculate OTP<\/h2>\n
The shared secret, or shared secret<\/em>, must\u2014as the name suggests\u2014be known to both sides. On the server side, it is located in the usersfile; on the client side, there are various ways for the user to store the shared secret in order to calculate an OTP. <\/p>\n
The shared secret required for calculation was generated with the openssl<\/code> call listed above and output in hexadecimal representation or Base16-encoded. In addition to Base16, representation in Base32 is also common, so care must be taken as to which encoding a program expects when entering the shared secret. Both mentioned methods are described and standardized in RFC 4648<\/a>.  <\/p>\n
While the tools base32<\/code> and base64<\/code> for Base32 and Base64 respectively are already included in the package coreutils<\/code>, another tool must be installed for converting from Base16, for example basez<\/code>. In addition to the main application basez<\/code>, several symbolic links to it are also created, including base16<\/code>, which can be used like base32<\/code> and base64<\/code>. <\/p>\n
To convert the shared secret generated above for alice<\/em> from Base16 to Base32, the following call is sufficient. The option -d<\/code> when calling base16<\/code> stands for decode<\/em>, since the conversion is from Base16. <\/p>\n
$ echo e2e36e1f3010bba83fed4118244f85be1cbb23fd | base16 -d | base32\n4LRW4HZQCC52QP7NIEMCIT4FXYOLWI75<\/pre>\n
In Base32 encoding, the shared secret is 4LRW4HZQCC52QP7NIEMCIT4FXYOLWI75<\/em>.<\/p>\n
As expected, there are also numerous web-based tools online for converting between the various encodings. However, transmission to websites is not recommended: even a shared secret is a secret<\/strong> and should not be disclosed to third parties! <\/p>\n
The situation is similar when using QR codes, which will be covered in a separate article. Although widely used, their use is not without risks that should be analyzed and minimized beforehand. <\/p>\n
CLI<\/h3>\n
The program  oathtool<\/code>  enables the calculation of OTP on the command line. To calculate TOTP, it is passed the argument --totp<\/code> and the shared secret in Base16 encoding when called: <\/p>\n
$ oathtool --totp e2e36e1f3010bba83fed4118244f85be1cbb23fd<\/pre>\n
oathtool<\/code>  assumes an OTP length of 6 digits and a window of 0. These assumptions can be adjusted with the arguments -d<\/code> (Digits) and -w<\/code> (Window). <\/p>\n
If the shared secret is Base32-encoded, the argument -b<\/code> must be prepended:<\/p>\n
$ oathtool --totp -b 4LRW4HZQCC52QP7NIEMCIT4FXYOLWI75<\/pre>\n
GUI<\/h3>\n
In addition to securely storing static passwords, KeepassXC also offers the ability to generate one-time passwords according to TOTP. For this purpose, the shared secret is stored as an attribute of an entry. <\/p>\n
The shared secret can be added to an existing entry as a key<\/em> by right-clicking and selecting Time-based One-Time Password (TOTP) > Set up TOTP\u2026<\/em>. RFC 6238 token standard settings<\/em> assumes a length of 6 digits and a validity of 30 seconds. The Base16-encoded shared secret is expected as the key. <\/p>\n
\"Call:<\/a>
Call: Set up TOTP<\/figcaption><\/figure>\n
\"Dialog:<\/a>
Dialog: Set up TOTP<\/figcaption><\/figure>\n
By right-clicking on the entry, the current one-time password can be displayed via Time-based One-Time Password (TOTP) > Show TOTP<\/em>, or copied to the clipboard via Copy TOTP<\/em>.<\/p>\n
\"Call:<\/a>
Call: Show TOTP<\/figcaption><\/figure>\n
\"Dialog:<\/a>
Dialog: Show TOTP<\/figcaption><\/figure>\n
Smartphone App<\/h2>\n
To calculate a TOTP on a smartphone, andOTP<\/a> is recommended. The app is free software, licensed under the MIT License, and can be easily installed via F-Droid<\/a> or from the Google Play Store<\/a>. <\/p>\n
A new entry can be created via the plus button in the lower right corner of the screen. In addition to the option to scan a QR code, the shared secret can be entered manually via the menu item Enter details<\/em>, along with some settings such as time period, length, or hash algorithm. <\/p>\n
\"Entering<\/a>
Entering details in andOTP<\/figcaption><\/figure>\n
\"Display<\/a>
Display of the current TOTP in andOTP<\/figcaption><\/figure>\n
The possibility of reading the shared secret and settings for calculating a TOTP using a QR code will be covered in an upcoming article.<\/p>\n
Conclusion<\/h2>\n
The examples presented demonstrate how easy it is to extend even existing services with two-factor authentication using TOTP. It is only necessary to configure the connection to PAM and the use of the pam_oath<\/em> module in the corresponding service file. <\/p>\n
The procedure shown is primarily suitable for individual systems with a few user accounts to be secured. More complex installations and other methods for one-time passwords are also possible. <\/p>\n
Support<\/h2>\n
If you require support with the configuration or use of two-factor authentication, our Open Source Support Center<\/a> is at your disposal – if desired, also 24 hours a day, 365 days a year.<\/p>\n","protected":false},"excerpt":{"rendered":"
Authentication using username and password still represents the standard procedure for most applications to authenticate to a service. However, the use of a second factor is becoming increasingly widespread and is even recommended by the BSI, the German Federal Office for Information Security. While not mandatory, various web services at least offer the option to […]<\/p>\n","protected":false},"author":60,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_improvement_type_select":"improve_an_existing","_thumb_yes_seoaic":false,"_frame_yes_seoaic":false,"seoaic_generate_description":"","seoaic_improve_instructions_prompt":"","seoaic_rollback_content_improvement":"","seoaic_idea_thumbnail_generator":"","thumbnail_generated":false,"thumbnail_generate_prompt":"","seoaic_article_description":"","seoaic_article_subtitles":[],"footnotes":""},"categories":[1885],"tags":[1709,1759,1764,1850],"class_list":["post-13652","post","type-post","status-publish","format-standard","hentry","category-howtos-en","tag-2fa-en","tag-openssh-en","tag-openvpn-en","tag-ssh-en"],"acf":[],"yoast_head":"\nTwo-Factor Authentication for OpenSSH and OpenVPN - credativ\u00ae<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/two-factor-authentication-for-openssh-and-openvpn\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Two-Factor Authentication for OpenSSH and OpenVPN\" \/>\n<meta property=\"og:description\" content=\"Authentication using username and password still represents the standard procedure for most applications to authenticate to a service. However, the use of a second factor is becoming increasingly widespread and is even recommended by the BSI, the German Federal Office for Information Security. While not mandatory, various web services at least offer the option to […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/two-factor-authentication-for-openssh-and-openvpn\/\" \/>\n<meta property=\"og:site_name\" content=\"credativ\u00ae\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/credativDE\/\" \/>\n<meta property=\"article:published_time\" content=\"2020-11-02T12:29:58+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.credativ.de\/wp-content\/uploads\/2020\/10\/Zwei-Faktor-Authentisierung-fu\u0308r-OpenSSH-und-OpenVPN-Header.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"2500\" \/>\n\t<meta property=\"og:image:height\" content=\"300\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Jan Bolle\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@bollejansson\" \/>\n<meta name=\"twitter:site\" content=\"@credativde\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Jan Bolle\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"10 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/blog\\\/howtos-en\\\/two-factor-authentication-for-openssh-and-openvpn\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/blog\\\/howtos-en\\\/two-factor-authentication-for-openssh-and-openvpn\\\/\"},\"author\":{\"name\":\"Jan Bolle\",\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/#\\\/schema\\\/person\\\/f33560ea675ef6722c4459154b42606e\"},\"headline\":\"Two-Factor Authentication for OpenSSH and OpenVPN\",\"datePublished\":\"2020-11-02T12:29:58+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/blog\\\/howtos-en\\\/two-factor-authentication-for-openssh-and-openvpn\\\/\"},\"wordCount\":1834,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/blog\\\/howtos-en\\\/two-factor-authentication-for-openssh-and-openvpn\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.credativ.de\\\/wp-content\\\/uploads\\\/2020\\\/10\\\/nm-passwort-1.png\",\"keywords\":[\"2FA\",\"OpenSSH\",\"OpenVPN\",\"SSH\"],\"articleSection\":[\"HowTos\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.credativ.de\\\/en\\\/blog\\\/howtos-en\\\/two-factor-authentication-for-openssh-and-openvpn\\\/#respond\"]}],\"copyrightYear\":\"2020\",\"copyrightHolder\":{\"@id\":\"https:\\\/\\\/www.credativ.de\\\/#organization\"}},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/blog\\\/howtos-en\\\/two-factor-authentication-for-openssh-and-openvpn\\\/\",\"url\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/blog\\\/howtos-en\\\/two-factor-authentication-for-openssh-and-openvpn\\\/\",\"name\":\"Two-Factor Authentication for OpenSSH and OpenVPN - credativ\u00ae\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/blog\\\/howtos-en\\\/two-factor-authentication-for-openssh-and-openvpn\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/blog\\\/howtos-en\\\/two-factor-authentication-for-openssh-and-openvpn\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.credativ.de\\\/wp-content\\\/uploads\\\/2020\\\/10\\\/nm-passwort-1.png\",\"datePublished\":\"2020-11-02T12:29:58+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/blog\\\/howtos-en\\\/two-factor-authentication-for-openssh-and-openvpn\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.credativ.de\\\/en\\\/blog\\\/howtos-en\\\/two-factor-authentication-for-openssh-and-openvpn\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/blog\\\/howtos-en\\\/two-factor-authentication-for-openssh-and-openvpn\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.credativ.de\\\/wp-content\\\/uploads\\\/2020\\\/10\\\/nm-passwort-1.png\",\"contentUrl\":\"https:\\\/\\\/www.credativ.de\\\/wp-content\\\/uploads\\\/2020\\\/10\\\/nm-passwort-1.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/blog\\\/howtos-en\\\/two-factor-authentication-for-openssh-and-openvpn\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Two-Factor Authentication for OpenSSH and OpenVPN\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/#website\",\"url\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/\",\"name\":\"credativ GmbH\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Organization\",\"Place\"],\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/#organization\",\"name\":\"credativ\u00ae\",\"url\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/\",\"logo\":{\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/blog\\\/howtos-en\\\/two-factor-authentication-for-openssh-and-openvpn\\\/#local-main-organization-logo\"},\"image\":{\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/blog\\\/howtos-en\\\/two-factor-authentication-for-openssh-and-openvpn\\\/#local-main-organization-logo\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/credativDE\\\/\",\"https:\\\/\\\/x.com\\\/credativde\",\"https:\\\/\\\/mastodon.social\\\/@credativde\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/credativ-gmbh\",\"https:\\\/\\\/www.instagram.com\\\/credativ\\\/\"],\"description\":\"Die credativ GmbH ist ein f\u00fchrendes, auf Open Source Software spezialisiertes IT-Dienstleistungs- und Beratungsunternehmen. Wir bieten umfassende und professionelle Services, von Beratung und Infrastruktur-Betrieb \u00fcber 24\\\/7 Support bis hin zu individuellen L\u00f6sungen und Schulungen. Unser Fokus liegt auf dem ganzheitlichen Management von gesch\u00e4ftskritischen Open-Source-Systemen, darunter Betriebssysteme (z.B. Linux), Datenbanken (z.B. PostgreSQL), Konfigurationsmanagement (z.B. Ansible, Puppet) und Virtualisierung. Als engagierter Teil der Open-Source-Community unterst\u00fctzen wir unsere Kunden dabei, die Vorteile freier Software sicher, stabil und effizient in ihrer IT-Umgebung zu nutzen.\",\"legalName\":\"credativ GmbH\",\"foundingDate\":\"2025-03-01\",\"duns\":\"316387060\",\"numberOfEmployees\":{\"@type\":\"QuantitativeValue\",\"minValue\":\"11\",\"maxValue\":\"50\"},\"address\":{\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/blog\\\/howtos-en\\\/two-factor-authentication-for-openssh-and-openvpn\\\/#local-main-place-address\"},\"geo\":{\"@type\":\"GeoCoordinates\",\"latitude\":\"51.1732374\",\"longitude\":\"6.392010099999999\"},\"telephone\":[\"+4921619174200\",\"08002733284\"],\"contactPoint\":{\"@type\":\"ContactPoint\",\"telephone\":\"08002733284\",\"email\":\"vertrieb@credativ.de\"},\"openingHoursSpecification\":[{\"@type\":\"OpeningHoursSpecification\",\"dayOfWeek\":[\"Monday\",\"Tuesday\",\"Wednesday\",\"Thursday\",\"Friday\"],\"opens\":\"09:00\",\"closes\":\"17:00\"},{\"@type\":\"OpeningHoursSpecification\",\"dayOfWeek\":[\"Saturday\",\"Sunday\"],\"opens\":\"00:00\",\"closes\":\"00:00\"}],\"email\":\"info@credativ.de\",\"areaServed\":\"D-A-CH\",\"vatID\":\"DE452151696\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/#\\\/schema\\\/person\\\/f33560ea675ef6722c4459154b42606e\",\"name\":\"Jan Bolle\",\"description\":\"Jan arbeitet seit 2020 an Projekten des Support\u2013Teams und der Internen IT, nachdem er bereits sein Praktikum im Rahmen seines Informatikstudiums bei credativ absolvierte und auch seine Bachelorarbeit zum Thema Einmalpassw\u00f6rter, Zwei\u2013Faktor\u2013Authentisierung und OpenVPN bei credativ schrieb. Bereits zu Schulzeiten interessierte er sich f\u00fcr Freie Software, Netzwerke und Telekommunikation und richtete zusammen mit Mitsch\u00fclern ein Internetcaf\u00e9 ein, auf dessen Server und Clients Debian GNU\\\/Linux seinen Dienst verrichtete.\",\"sameAs\":[\"https:\\\/\\\/x.com\\\/bollejansson\"]},{\"@type\":\"PostalAddress\",\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/blog\\\/howtos-en\\\/two-factor-authentication-for-openssh-and-openvpn\\\/#local-main-place-address\",\"streetAddress\":\"Hennes-Weisweiler-Allee 23\",\"addressLocality\":\"M\u00f6nchengladbach\",\"postalCode\":\"41179\",\"addressRegion\":\"Deutschland\",\"addressCountry\":\"DE\"},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.credativ.de\\\/en\\\/blog\\\/howtos-en\\\/two-factor-authentication-for-openssh-and-openvpn\\\/#local-main-organization-logo\",\"url\":\"https:\\\/\\\/www.credativ.de\\\/wp-content\\\/uploads\\\/2025\\\/04\\\/credativ-logo-right.svg\",\"contentUrl\":\"https:\\\/\\\/www.credativ.de\\\/wp-content\\\/uploads\\\/2025\\\/04\\\/credativ-logo-right.svg\",\"caption\":\"credativ\u00ae\"}]}<\/script>\n<meta name=\"geo.placename\" content=\"M\u00f6nchengladbach\" \/>\n<meta name=\"geo.position\" content=\"51.1732374;6.392010099999999\" \/>\n<meta name=\"geo.region\" content=\"Germany\" \/>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Two-Factor Authentication for OpenSSH and OpenVPN - credativ\u00ae","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/two-factor-authentication-for-openssh-and-openvpn\/","og_locale":"en_US","og_type":"article","og_title":"Two-Factor Authentication for OpenSSH and OpenVPN","og_description":"Authentication using username and password still represents the standard procedure for most applications to authenticate to a service. However, the use of a second factor is becoming increasingly widespread and is even recommended by the BSI, the German Federal Office for Information Security. While not mandatory, various web services at least offer the option to […]","og_url":"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/two-factor-authentication-for-openssh-and-openvpn\/","og_site_name":"credativ\u00ae","article_publisher":"https:\/\/www.facebook.com\/credativDE\/","article_published_time":"2020-11-02T12:29:58+00:00","og_image":[{"width":2500,"height":300,"url":"https:\/\/www.credativ.de\/wp-content\/uploads\/2020\/10\/Zwei-Faktor-Authentisierung-fu\u0308r-OpenSSH-und-OpenVPN-Header.jpg","type":"image\/jpeg"}],"author":"Jan Bolle","twitter_card":"summary_large_image","twitter_creator":"@bollejansson","twitter_site":"@credativde","twitter_misc":{"Written by":"Jan Bolle","Est. reading time":"10 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/two-factor-authentication-for-openssh-and-openvpn\/#article","isPartOf":{"@id":"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/two-factor-authentication-for-openssh-and-openvpn\/"},"author":{"name":"Jan Bolle","@id":"https:\/\/www.credativ.de\/en\/#\/schema\/person\/f33560ea675ef6722c4459154b42606e"},"headline":"Two-Factor Authentication for OpenSSH and OpenVPN","datePublished":"2020-11-02T12:29:58+00:00","mainEntityOfPage":{"@id":"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/two-factor-authentication-for-openssh-and-openvpn\/"},"wordCount":1834,"commentCount":0,"publisher":{"@id":"https:\/\/www.credativ.de\/en\/#organization"},"image":{"@id":"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/two-factor-authentication-for-openssh-and-openvpn\/#primaryimage"},"thumbnailUrl":"https:\/\/www.credativ.de\/wp-content\/uploads\/2020\/10\/nm-passwort-1.png","keywords":["2FA","OpenSSH","OpenVPN","SSH"],"articleSection":["HowTos"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.credativ.de\/en\/blog\/howtos-en\/two-factor-authentication-for-openssh-and-openvpn\/#respond"]}],"copyrightYear":"2020","copyrightHolder":{"@id":"https:\/\/www.credativ.de\/#organization"}},{"@type":"WebPage","@id":"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/two-factor-authentication-for-openssh-and-openvpn\/","url":"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/two-factor-authentication-for-openssh-and-openvpn\/","name":"Two-Factor Authentication for OpenSSH and OpenVPN - credativ\u00ae","isPartOf":{"@id":"https:\/\/www.credativ.de\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/two-factor-authentication-for-openssh-and-openvpn\/#primaryimage"},"image":{"@id":"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/two-factor-authentication-for-openssh-and-openvpn\/#primaryimage"},"thumbnailUrl":"https:\/\/www.credativ.de\/wp-content\/uploads\/2020\/10\/nm-passwort-1.png","datePublished":"2020-11-02T12:29:58+00:00","breadcrumb":{"@id":"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/two-factor-authentication-for-openssh-and-openvpn\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.credativ.de\/en\/blog\/howtos-en\/two-factor-authentication-for-openssh-and-openvpn\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/two-factor-authentication-for-openssh-and-openvpn\/#primaryimage","url":"https:\/\/www.credativ.de\/wp-content\/uploads\/2020\/10\/nm-passwort-1.png","contentUrl":"https:\/\/www.credativ.de\/wp-content\/uploads\/2020\/10\/nm-passwort-1.png"},{"@type":"BreadcrumbList","@id":"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/two-factor-authentication-for-openssh-and-openvpn\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.credativ.de\/en\/"},{"@type":"ListItem","position":2,"name":"Two-Factor Authentication for OpenSSH and OpenVPN"}]},{"@type":"WebSite","@id":"https:\/\/www.credativ.de\/en\/#website","url":"https:\/\/www.credativ.de\/en\/","name":"credativ GmbH","description":"","publisher":{"@id":"https:\/\/www.credativ.de\/en\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.credativ.de\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":["Organization","Place"],"@id":"https:\/\/www.credativ.de\/en\/#organization","name":"credativ\u00ae","url":"https:\/\/www.credativ.de\/en\/","logo":{"@id":"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/two-factor-authentication-for-openssh-and-openvpn\/#local-main-organization-logo"},"image":{"@id":"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/two-factor-authentication-for-openssh-and-openvpn\/#local-main-organization-logo"},"sameAs":["https:\/\/www.facebook.com\/credativDE\/","https:\/\/x.com\/credativde","https:\/\/mastodon.social\/@credativde","https:\/\/www.linkedin.com\/company\/credativ-gmbh","https:\/\/www.instagram.com\/credativ\/"],"description":"Die credativ GmbH ist ein f\u00fchrendes, auf Open Source Software spezialisiertes IT-Dienstleistungs- und Beratungsunternehmen. Wir bieten umfassende und professionelle Services, von Beratung und Infrastruktur-Betrieb \u00fcber 24\/7 Support bis hin zu individuellen L\u00f6sungen und Schulungen. Unser Fokus liegt auf dem ganzheitlichen Management von gesch\u00e4ftskritischen Open-Source-Systemen, darunter Betriebssysteme (z.B. Linux), Datenbanken (z.B. PostgreSQL), Konfigurationsmanagement (z.B. Ansible, Puppet) und Virtualisierung. Als engagierter Teil der Open-Source-Community unterst\u00fctzen wir unsere Kunden dabei, die Vorteile freier Software sicher, stabil und effizient in ihrer IT-Umgebung zu nutzen.","legalName":"credativ GmbH","foundingDate":"2025-03-01","duns":"316387060","numberOfEmployees":{"@type":"QuantitativeValue","minValue":"11","maxValue":"50"},"address":{"@id":"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/two-factor-authentication-for-openssh-and-openvpn\/#local-main-place-address"},"geo":{"@type":"GeoCoordinates","latitude":"51.1732374","longitude":"6.392010099999999"},"telephone":["+4921619174200","08002733284"],"contactPoint":{"@type":"ContactPoint","telephone":"08002733284","email":"vertrieb@credativ.de"},"openingHoursSpecification":[{"@type":"OpeningHoursSpecification","dayOfWeek":["Monday","Tuesday","Wednesday","Thursday","Friday"],"opens":"09:00","closes":"17:00"},{"@type":"OpeningHoursSpecification","dayOfWeek":["Saturday","Sunday"],"opens":"00:00","closes":"00:00"}],"email":"info@credativ.de","areaServed":"D-A-CH","vatID":"DE452151696"},{"@type":"Person","@id":"https:\/\/www.credativ.de\/en\/#\/schema\/person\/f33560ea675ef6722c4459154b42606e","name":"Jan Bolle","description":"Jan arbeitet seit 2020 an Projekten des Support\u2013Teams und der Internen IT, nachdem er bereits sein Praktikum im Rahmen seines Informatikstudiums bei credativ absolvierte und auch seine Bachelorarbeit zum Thema Einmalpassw\u00f6rter, Zwei\u2013Faktor\u2013Authentisierung und OpenVPN bei credativ schrieb. Bereits zu Schulzeiten interessierte er sich f\u00fcr Freie Software, Netzwerke und Telekommunikation und richtete zusammen mit Mitsch\u00fclern ein Internetcaf\u00e9 ein, auf dessen Server und Clients Debian GNU\/Linux seinen Dienst verrichtete.","sameAs":["https:\/\/x.com\/bollejansson"]},{"@type":"PostalAddress","@id":"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/two-factor-authentication-for-openssh-and-openvpn\/#local-main-place-address","streetAddress":"Hennes-Weisweiler-Allee 23","addressLocality":"M\u00f6nchengladbach","postalCode":"41179","addressRegion":"Deutschland","addressCountry":"DE"},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.credativ.de\/en\/blog\/howtos-en\/two-factor-authentication-for-openssh-and-openvpn\/#local-main-organization-logo","url":"https:\/\/www.credativ.de\/wp-content\/uploads\/2025\/04\/credativ-logo-right.svg","contentUrl":"https:\/\/www.credativ.de\/wp-content\/uploads\/2025\/04\/credativ-logo-right.svg","caption":"credativ\u00ae"}]},"geo.placename":"M\u00f6nchengladbach","geo.position":{"lat":"51.1732374","long":"6.392010099999999"},"geo.region":"Germany"},"_links":{"self":[{"href":"https:\/\/www.credativ.de\/en\/wp-json\/wp\/v2\/posts\/13652","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.credativ.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.credativ.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.credativ.de\/en\/wp-json\/wp\/v2\/users\/60"}],"replies":[{"embeddable":true,"href":"https:\/\/www.credativ.de\/en\/wp-json\/wp\/v2\/comments?post=13652"}],"version-history":[{"count":0,"href":"https:\/\/www.credativ.de\/en\/wp-json\/wp\/v2\/posts\/13652\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.credativ.de\/en\/wp-json\/wp\/v2\/media?parent=13652"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.credativ.de\/en\/wp-json\/wp\/v2\/categories?post=13652"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.credativ.de\/en\/wp-json\/wp\/v2\/tags?post=13652"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}