Single Debian 12 SSH server, push notifications, offline fallback

Hello! I wonder if PrivacyIDEA is a good idea for my use case, and would be happy for advice.

I’m setting up a personal, standalone Debian 12 system at a public hoster (no local access), and I want to harden SSH access. SSH is the only thing I’m interested in. I have experience with 2FA (TOTP) for SSH. But I’m typing in many TOTPs per day, and I’m getting a bit tired of them. The server does not contain highly sensitive data. I would be very happy to just have a push notification on an Android. PrivacyIDEA seems to do this (and so much more!) and I haven’t seen anything else that does this (with both the server and the app being Free software).

First I got a bit scared of a deprecated pam_python and pam_radius, but then I saw the PrivacyIDEA PAM module and it looks very much what I want.

I understand it is possible to have Push Notifications on the PI authenticator app as a SSH 2FA. Now, for this one single system, I won’t set up a redundant PrivacyIDEA server as it is suggested in this detailed, 5-year-old forum message.

So while “offline access” may not be intended to mean “I connect via SSH to a server that is online, but that cannot reach its Privacy IDEA server”, would one of the following work when the server is not running? or do you see another way?

  • Connect with a HOTP/TOTP instead of the usual Push Notification, either as the same or as a different user (which may be set up differently)?
  • Have a different user without 2FA configuration, but with an “emergency SSH key” that is stored “safely” offline?

Lastly, I’m super happy to see that the PI authenticator app, too, is open source. I’m using Android but without a Google account. I can always build from source, but do you see a possibility for having it on F-Droid?

Thank you for reading!

Concerning F-Droid - I found the relevant issue on GitHub. Sorry, cannot modify the original post any more (HTTP 422 error).

the new PAM module does support HOTP token for offline use (please note that the token is then unusable for any other case, e.g. online authentication, and only works on a single machine). Since you can have multiple token per user, having a fallback/offline option is no problem.
Putting the app on F-Droid is still in the making, as you already found.

1 Like