Add Two-Factor Authentication to SSH Logins

Private shared this idea ago

Open Discussion

Now that 2FA works via cPanel/WHM logins, it would also be nice to have 2FA working when logging into SSH. So, if a user has 2FA turned on for their account (including root), they should also be asked to enter the 2FA OTP after they log in to SSH regardless of whether they already use SSH keys or just their regular passwords. This would greatly add to the security of the servers, especially if it could also work using more advanced 2FA methods using Yubikeys, U2F, etc...

I like this idea 3

Replies (2)

Eric Gillette ●

I don't like this idea at all since I just had to disable 2-factor for one of my clients who lost his phone and could no longer use 2-factor to login via WHM -- imagine if he had turned on 2-factor for SSH as well. He'd have been completely locked out of his server and I would have been powerless to help him. Sorry, I don't like this idea. People are too careless. I would support this feature if the server allowed another method of access if SSH and WHM were both locked out with 2-factor and there was no access (like in today's case where my client lost his phone).

Reply URL

benny@cpanel.net ●

Thank you for that feedback! Making sure that there's a viable recovery option is definitely something we can keep in mind if this request gets picked up by the development team.

URL

Eric Gillette ●

I appreciate that. I just like to think of all the possible angles. ;-)

URL

Martin eaps ●

Am I wrong in thinking that using remote SSH Keys is the same effect as 2FA, if not stronger? to access my servers on SSH I need to have the SSH key AND the key password. Adding 2FA on top of this would not seem to add more entropy/security to the login process.

URL

j prost ●

I only see two reasons for supporting 2FA for SSH

1. SSH Keys are too hard

2. Support for mobile administration (i.e. logging in from a machine that doesn't have SSH Keys)

Reply URL