Interactive Login in CMS with 2FA

After enrolling a TOTP token with the procedure from System/CMS_2FA, it is quite simple to use the One-Time Password (OTP) to login via SSH remotely.

You may want to have the Authenticator app already open to the token you enrolled, before beginning the SSH session, so that the session doesn't timeout before you are able to enter the code.

Logging In

For comparison, your SSH login session without 2FA would appear similar to:

 leblancd @ cadence > ssh leblancd@cmsloginmachine
 Password:
 Last login: Mon Oct 31 12:37:01 2022
 Have a lot of fun...
 leblancd @ cmsloginmachine >

In an SSH session with 2FA in CMS, it looks similar to this:

 leblancd @ cadence > ssh leblancd@cmsloginmachine
 Password:
 OTP_Token:
 Last login: Mon Oct 31 12:37:27 2022
 Have a lot of fun...
 leblancd @ cmsloginmachine >

The obvious difference being the "OTP_Token" prompt where you would enter your code provided by your phone's (Google) Authenticator within the lifetime of the code, and within the timeout of your SSH session.

If you have a PIN connected to your token

If you have elected to set a PIN on your TOTP token when you enrolled, your PIN is combined with the 6 digit code provided by your phone's (Google) Authenticator.

(PIN + 6 digit OTP)

For example, your phone's Authenticator app refreshes the OTP code every 30 seconds, so if:
  • your PIN is 007121
  • in a 30 secs timeframe, your Authenticator app code is 998 001
Then, after the "Password:" prompt, at the "OTP_Token" prompt, you would enter: 007121998001

-- DavidLeBlanc - 2022-10-18
Topic revision: r3 - 2022-11-07, DavidLeBlanc
This site is powered by FoswikiCopyright &© by the contributing authors. All material on this site is the property of the contributing authors.
Ideas, requests, problems regarding CMS Wiki? Send feedback