OpenSSH OTP refers to integrating one-time password (OTP) authentication, such as TOTP, into OpenSSH logins to strengthen access control.

How can I enable OTP for OpenSSH?

To enable OTP in OpenSSH, you typically install Google Authenticator or a TOTP-compatible PAM module, configure `/etc/pam.d/sshd`, and update `sshd_config` to use ChallengeResponseAuthentication.

Which Linux distributions support SSH OTP setup?

All major Linux distributions such as Ubuntu, Debian, Fedora, CentOS, Rocky Linux, and AlmaLinux support SSH OTP integration using PAM modules.

Is OTP enough for securing SSH?

OTP greatly enhances SSH security by adding a second factor, but it is recommended to combine it with strong key-based authentication and firewall rules for best protection.

Can I use OpenSSH OTP without passwords?

Yes, OTP can be used alongside or instead of traditional passwords, depending on your PAM and OpenSSH configuration. It can also complement key-based authentication for multi-factor access.

HiddenSSH - Secure OpenSSH Hardening

Pros & Cons

Better Options then OTP

Using, (Security keys/FIDO2/U2F security keys/hardware-backed SSH keys/Hardware keys SSH) that will act as an agent; meaning keys never leaves the device, only the result of the calculation are sent off device.

Ed25519, EdDSA (Edwards-curve Digital Signature Algorithm), is recommended.
(Security keys/FIDO2/U2F security keys/hardware-backed SSH keys/Hardware keys SSH) do not support (RSA public, private keys/RSA Keys).

OTP is legacy

OTP had a purpose when passwords where used widely; today passwords are out-dated, era when public/private keys should be the common norm.
But OTP still can be utitilized today, from an sysadmins point of view. (protecting against key theft/attackers targeting users keys).
Its a great option if your mainly stuck with normal file based public/priivate keys, and need to (generate some working hours/make users life a nightmare).
But for modern proper security practice, you would need to use (Security keys/FIDO2/U2F security keys/hardware-backed SSH keys/Hardware keys SSH)
exclusively with out creating the need for OTP, for backwards compability; increasing complexity, and increasing the attack surface.
But (Security keys/FIDO2/U2F security keys/hardware-backed SSH keys/Hardware keys SSH) are not always financially (feasable/justified),
By bean counters at the office, or inviduall users budgets.
OTP is legacy but can be a god (steping stone/motivation) towards (Security keys/FIDO2/U2F security keys/hardware-backed SSH keys/Hardware keys SSH).

OTP

Strategic Theory

Using OTP with passwords only is NOT a good strategy, and should be avoided.

Only safe usage case scenario; is chaning the authentication with (public pubic/private key+otp).
Logic is; even if the key is stolen stolen, and unencrypted with large procentage of users.
An attacker would still need the OTP to succesfully gain access.
Trip wire; This would be off-course paired with trip wire mechanism such as fail2ban max authentication tries,
Making any attack attempt succesful extremely unlikely before being noticed.

Math

Not all, otp codes are equal;

4-digit codes, have 10,000 Combinations, and are not suitable.
6-digit codes, have 1,000,000 Combinations, but seeing we like low ratio odds we need to use the 8-digit codes;
limiting the attacks success rate drastically, and needing to hit right in the (3 max tries) with a odds ratio of 3:100,000,000 in a 8-digit High-security operation code.

OpenSSH OTP Module

OpenSSH OTP is usually not enabled by default.
OpenSSH itself does not generate Google Authenticator style TOTP codes directly.
Instead, SSH OTP is commonly handled through PAM using a modulepam_google_authenticator.so.

On most Linux distributions, OpenSSH is already compiled with PAM support, but the OTP module still needs to be installed,
configured in both /etc/pam.d/sshd and /etc/ssh/sshd_config.

Hardened purpose;

where the users do not have a security key but rather a public key/private key file on its (client/laptop/workstation)
clients can be compromised, key theft can accure.
Hack around is this of course, use password protection of ssh private key, but anyone with experience will know people are sloppy in this regard.
And the biggest attack surface becomes the users against a (server/router/VPC).
OTP is a way to add friction and annoy users as much as possible.

Logic being; Private Keys that are not (security key/hardware key based), can be stolen,
and sloppyness of not using passwords to protect the private keys, becomes a (numbers game/statistics game),
and its very favorable odds for the attacker.
A Hardened setup is SSH key first, then OTP second.
This means the user must have a valid SSH private key and also enter a valid one-time code.
OTP would be ideally (used/running) in a offline, purpose built device, rather on the same device,
But factoring in the users sloppyness, statically; its gona be across 2 devices, mobile and laptop.

OTP Config Example;

Settings in /etc/ssh/sshd_config

# /etc/ssh/sshd_config
UsePAM yes
KbdInteractiveAuthentication yes
PasswordAuthentication no
PubkeyAuthentication yes
AuthenticationMethods publickey,keyboard-interactive

OpenSSH OTP Module

The PAM, OTP module (config happens/setting) are located in /etc/pam.d/sshd. Notice; that this is sshd specific, as seen in the filename.

# /etc/pam.d/sshd
auth required pam_google_authenticator.so

After configuration, reboot sshd and PAM.

Login Example

ssh user1@httpd.hiddenssh.net

Authenticated with partial success.
Verification code:
Last login: Tue Apr 28 19:42:11 2026 from 144.24.46.145

Client Hardening

Short Intro

As important the (server/router/VPC) is equally important is the client devices.

Using the same (device/laptop), to have (OTP codes/OTP code generator/OTP Running) is plain retarded;
and loses the main feature and point, because and attacker could need to focus on one device only.

Bitcoin Hardware Wallets Setup

Some models offer OTP code support; like Ledger Nano S, but currently only in experimental software mode.

Hacker Delux Setup

By removing 4G/5G Modem, including; Wifi Chip, Bluetooth Chip, and; installing an OTP app.
One can create (fully offline device/isolated OTP device/isolated from internet) with no way for an attacker to stealing any otp codes.

Enterprise Setup

Ideall setup is laptop; (OTP code USB Device/OTP USB key), reasoning is; it has dedicated security features applied to it,
preventing theft of otp codes.
For example using a Yubikey; that are statistically more widely available in corporate environments.