SFTP authentication via one-time passwords (OTP)

Occasionally our customers ask if it’s possible to implement some form of one-time password (OTP) authentication for their SFTP users. Considering the complexity of the SSH authentication scheme, such a task is definitely not trivial. To ease the process, Syncplify.me Server! V5 adds two new event-handlers and several functions to the scripting framework. This article explains how to use them to accomplish OTP authentication over SFTP.

First of all, it is important to understand that, since one-time passwords change every time, OTP authentication has to be necessarily interactive. Therefore, before we begin, we need to allow “keyboard-interactive” authentication both globally on the server as well as locally on the specific user profile(s) that we want to enable OTP authentication for.

Once that’s done, we can proceed and write the script to generate the one-time password (OTP) each time the user tries to log in. This part is tricky, as many SFTP clients perform multiple connections at once, so when we generate an OTP we have to make sure it’s valid for a certain amount of time (in this example we elected to give OTPs a 1-minute life span).

The script here above checks if the last time this user logged in was more than 1 minute ago. If it was, the script generates a new OTP, changes the user’s passwords, and sends the new OTP to the user via PushOver (but you may use any other notification service: SMS, email, …).

Once the script is ready, simply associate it to the new  OnAuthRequestAllowed event handler, and run your SFTP client.

In your SFTP client you also have to make sure that you use Interactive (or Keyboard Interactive) authentication, as shown in the screenshot here below:

The try to connect… as soon as the server receives the username, the OTP is sent to the user’s mobile device via PushOver:

Now go back to your SFTP client and type in the one-time password that was just sent to your mobile device:

And you’re all set. Logged in via OTP! Yay!

Of course, this method works with any client that supports SSH Keyboard Interactive authentication, including text-based ones:

Thank you for your attention.