{"id":13681502,"url":"https://github.com/authy/authy-ssh","last_synced_at":"2025-04-30T03:31:37.507Z","repository":{"id":3449125,"uuid":"4502413","full_name":"authy/authy-ssh","owner":"authy","description":"Easy two-factor authentication for ssh servers","archived":true,"fork":false,"pushed_at":"2018-05-08T17:55:26.000Z","size":87,"stargazers_count":799,"open_issues_count":15,"forks_count":70,"subscribers_count":44,"default_branch":"master","last_synced_at":"2024-11-12T00:36:45.167Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/authy.png","metadata":{"files":{"readme":"README-legacy.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2012-05-31T01:03:13.000Z","updated_at":"2024-11-05T06:41:10.000Z","dependencies_parsed_at":"2022-08-03T12:20:39.687Z","dependency_job_id":null,"html_url":"https://github.com/authy/authy-ssh","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/authy%2Fauthy-ssh","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/authy%2Fauthy-ssh/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/authy%2Fauthy-ssh/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/authy%2Fauthy-ssh/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/authy","download_url":"https://codeload.github.com/authy/authy-ssh/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":251635315,"owners_count":21619205,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-02T13:01:31.608Z","updated_at":"2025-04-30T03:31:37.263Z","avatar_url":"https://github.com/authy.png","language":"Shell","readme":"# Authy SSH\n\n## Pre-requisites.\n\n1. Authy API Key: https://www.authy.com/signup\n\n## Installation.\n\nType the following command in the terminal:\n\n    $ curl -O 'https://raw.githubusercontent.com/authy/authy-ssh/master/authy-ssh'\n    $ sudo bash authy-ssh install /usr/local/bin\n\nThen enable two-factor for your user:\n\n    $ sudo /usr/local/bin/authy-ssh enable `whoami` \u003cyour-email\u003e \u003cyour-country-code\u003e \u003cyour-cellphone\u003e\n\nTest everything is working:\n\n    $ authy-ssh test\n\nRestart your SSH server (look below if you are not on Ubuntu).\n\n    $ sudo service ssh restart\n\n##### Restarting your ssh server\n\n**Ubuntu**\n\n    sudo service ssh restart\n\n**Debian**\n\n    sudo service sshd restart\n\n**RedHat and Fedora Core Linux**\n\n    sudo /sbin/service sshd restart\n\n**Suse linux**\n\n    sudo /etc/rc.d/sshd restart\n\n###  Installing without root privileges.\n\nType the following command in the terminal:\n\n    $ curl 'https://raw.githubusercontent.com/authy/authy-ssh/master/authy-ssh' -o authy-ssh\n    $ bash authy-ssh install ~/.authy-ssh/\n\n\nNow protect your user:\n\n    $ bash ~/.authy-ssh/authy-ssh protect\n\n\n## Enable two-factor auth on a user.\n\nAfter the installation is finished, you have to proactively enable the two-factor for the users you want to protect.\n\nTo enable users type the following command and fill the form:\n\n    $ sudo authy-ssh enable\n\nIf you want to do it in one line just type:\n\n    $ sudo authy-ssh enable \u003clocal-username\u003e \u003cuser-email\u003e \u003cuser-cellphone-country-code\u003e \u003cuser-cellphone\u003e\n\n\n## How it works\n\nAuthy-ssh uses the `sshd_config` directive `ForceCommand` to run itself before every login. Here's how your sshd_config will look after installing:\n\n    [root@ip-10-2-113-233 ~]# cat  /etc/ssh/sshd_config | grep ForceCommand\n    ForceCommand /usr/local/bin/authy-ssh login\n]\nWhenever  it  runs authy-ssh will read it's configuration from /usr/local/bin/authy-ssh.conf\nHere's an example:\n\n    [root@ip-10-2-113-233 ~]# cat /usr/local/bin/authy-ssh.conf\n    banner=Good job! You've securely logged in with Authy.\n    api_key=05c783f2db87b73b198f11fe45dd8bfb\n    user=root:1\n    user=daniel:1\n\nIn this case it means user root and daniel have two-factor enabled and that 1 is their `authy_id`. If a user is not in this list, `authy-ssh` will automatically let him in.\n\n## Using two-factor auth with automated deployment tools.\n\n\nIf you use **capybara**, **chef**, **puppet**, **cfengine**, **git** you can create new users for these tools so they can enter the machine without requiring two-factor.\nAlternatively, you can match users using the `ForceCommand` directive.\n\nA good example is create a two-factor users group.\n\n    groupadd two-factor\n    usermod  -a -G two-factor root\n\nNow that my root user is in the two-factor group, I edit my /etc/ssh/sshd_config\n\n    [root@ip-10-2-113-233 ~]# cat /etc/ssh/sshd_config | grep ForceCommand -A 1 -B 1\n    match Group two-factor\n        ForceCommand /usr/local/bin/authy-ssh login\n\n\t$ /sbin/service sshd restart\n    Stopping sshd:                                             [  OK  ]\n    Starting sshd:                                             [  OK  ]\n\nNow force command will only operate on users that belong to the two-factor group.\n\n\n## `scp`, `sftp`, `mosh` and `git push` with two-factor authentication.\n\nTo enable non-interactive commands like `scp`, `sftp`, `mosh` and `git clone|fetch|push` you have to allow to pass the environment variable `AUTHY_TOKEN` from the client. To do so edit your `sshd_config` (normally located at `/etc` or `/etc/ssh/`) and add `AUTHY_TOKEN` to the AcceptEnv directive:\n\n\tAcceptEnv AUTHY_TOKEN\n\nThen configure the client to send that variable to the server, to do so first open `~/.ssh/config` and then add the following:\n\n\tHost *\n\t\tSendEnv AUTHY_TOKEN\n\nAnd finally pass the token before the command:\n\n    AUTHY_TOKEN=\"valid-token\" git push origin master\n    AUTHY_TOKEN=\"valid-token\" scp server:path/to/file local-file\n    AUTHY_TOKEN=\"valid-token\" mosh server\n\n### Note\n\nFor cases like `sftp` if you enter an invalid token, you may receive a response like *\"Received message too long 458961713\"*. This is because the interactive command is not able to render the proper output text message returned by the program.\n\n## Multiple users sharing the same unix account.\n\nIf you have many users that need to share a single login, you can still use strong two-factor authentication without sharing the same token. This means that every user can have their own Authy Token, ensuring non-repudiation.\n\nTo achieve this, delete or comment out the `ForceCommand` directive from your `sshd_config`:\n\n\t$ sudo sed -ie 's/^\\(ForceCommand.*authy-ssh.*\\)/#\\1/g' /etc/ssh/sshd_config\n\nand then for each person add their ssh key using the following command:\n\n\t$ sudo authy-ssh protect\n\nyou should end up with an authorized_keys file that looks like:\n\n\tcommand=\"/usr/local/bin/authy-ssh login 13386\" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDGRJbWu+WLVXYVADY3iQPE1kA7CIOSqHmskPM8qIAzKzq+1eRdmPwDZNmAvIQnN/0N7317Rt1bmTRLBwhl6vfSgL6677vUwsevPo27tIxdja67ELTh55xVLcJ3O8x2qkZsySgkLP/n+w3MUwLe1ht31AZOAsV7J7imhWipDijiysNgvHyeSWsHqExaL1blPOYJVHcqPbKY4SxFRq/MWeyPf/Sm24MFSKEaY6u0kNx8MLJ1X9X/YxmY9rdvzsZdQ7Z/PYhYt2Ja/0mzfYx2leeP2JQBsVfZZzAoFEPpw6mSP9kJREGe2tXvS9cRenhz/+V0+mvSJKG0f0Zzh428pTzN\n\tcommand=\"/usr/local/bin/authy-ssh login 20\" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyvj2d0rSDukDT04mK7njUxtXffUrOnDCm2Bqub0zN7LQS733nBHp89aMuBI5ENjw1SQ2qXhLxvK1Xhr0pQr+dOWNn3emQjQuiA+YL39yp2RLLpflerJ3KAVY09CHYLFxdKj/DJgXsH+LMAPe2uVmWCP2xAV5ZcLnz3CdS2SX/EVlbNrftesZx9uAbmwKPLY1pmW7q/75AhJRow8VTP7zM/VS7jEHkj03g51BZGB8tMI3G8RDVEDtu2jVwZiq+8BaNCyjYVlsLfu6uGhnXeeUS3swu/atlt+pxy+QTf/HGvrJR58tER+foqheWtV3LqXN4oLckzqTVkDDmnNJlmrpYQ==\n\nThe previous command will ask you the user ssh public key, cellphone and email.\n\n## Uninstall\n\nTo uninstall type:\n\n    $ sudo authy-ssh uninstall\n    $ restart your SSH server\n\n\n## Running Unit Tests\n\nFork and clone the git repository https://github.com/authy/authy-ssh.git\n\n    $ cd tests\n    $ rake test\n","funding_links":[],"categories":["Shell","Apps"],"sub_categories":["*SSH* keys / Authentication"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fauthy%2Fauthy-ssh","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fauthy%2Fauthy-ssh","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fauthy%2Fauthy-ssh/lists"}