Two Factor Authentication on OpenBSD with SSH and S/Key

Assuming you guys already setup SSH using SSH Keys , If not, kindly setup SSH first before proceeding.

To improve security of one's system, it is better combine both SSH public key and an OTP (One Time Password).

Configuring S/Key

S/Key is a simple, secure OTP system based on hash functions md5, rmd160 or sha1. S/key is standard part of OpenBSD distributions, however it is disabled by default.

To enable, use

$ doas skeyinit -E

Then each user using S/Key needs to initialize their account with skeyinit.

Note: You should be on a secure terminal before using 'skeyinit', Only use this method if you are directly connected or have an encrypted channel.

$ skeyinit
Password: <Enter your VPS Password here>

If you're using 'telnet' use skeyinit -s (read here for more info: skeyinit.1)

Once you entered password, it'll show

[Adding user with md5]

and asks for a passphrase, this passphrase is used to generate the OTP keys

Enter new secret passphrase: <Enter your desired passphrase here>
Again secret passphrase:     <Retype the above passphrase>

Note: The passphrase should be minimum 10 characters

Once done, the account is now setup and skeyinit echoes the next challenge and corresponding password.

ID user skey is otp-md5 100 user41451
Next login password: HONE HOOF RILL BULK HEAL COWL

Note: By default it creates md5 hash based key, to change it to sha1, you can use

$ skeyinit -sha1

The next step is to force the login to use S/Key instead of the traditional password.

Edit login.conf and make the following changes

"By default, it should be "auth-defaults:passwd,skey:" change it as follows"


note that you must include the whitespace, otherwise it won't work.

Now, change sshd-config file to require SSH to use both authentication methods.

$ doas nano /etc/ssh/sshd_config

under "# Authentication:"

AuthenticationMethods publickey,keyboard-interactive

Save and exit.

$ doas rcctl restart sshd

and done, any user with default login profile will be forced to have a vaild SSH key on their PC and S/Key OTP to connect to the server.

CAUTION: Do not disconnect the current window that already logged in to the server. Use a new window/tab to test the "ssh + otp" is working, incase if something went wrong you will want redo the steps properly or enable password login sshd_config and restart sshd again.

Now, to calculate the challenge, Android users download OTPdroid or on iOS download OTP

CAUTION: The android and iPhone apps only have md5 and sha1 methods, if you're using rmd160, kindly find any app that supports it or use the alternative way below.

alternatively, if you don't have phone, you can print next challenges on a paper or write down somewhere by using

$ skey -n 10 `skeyinfo`

The above command will print next 10 challenges on screen. (Do not use this method when you're on telnet).

Now that all set, you can try login in terminal


  |  ssh user@youruserhost |
  |  otp-md5 97 user12446  |
  |  S/Key Password:       |

after you tried ssh, it echoes the challenge: key type and sequence number and user12446 (user id with some random numbers) and asks for S/Key Password (the OTP).

To generate OTP, open the mobile app

Enter your passphrase (the secret passphrase you entered above) , under 'challenge' select the key 'md5' or 'sha1' (as you see in the terminal) and type the sequence number (97) and (user12446)

Screenshot 1:

Tap on 'Calculate' , you'll get a response , a OTP of six words as shown in the image below:

Screenshot 2:

You can enter the OTP on terminal as "cook days eros well fell gas" and press enter to login, although the OTP shown all capitalized in the screenshot, you can type without capitalizing.

Note: Before the sequence ends up, you might wanna generate another set of keys using "skeyinit".