Two factor auth with bash

I have a couple of servers that I ssh into from different locations, I don't always have my ssh keys. I have come up with what I think is a fairly secure 2fa using ssh and bash. RSVP if you see a flaw in this.

Server's /home/myuser/.profile has

if [ "$PASSWORD" != longanddifficulttotypepassword ]
then
  exit 0
fi

Server's /etc/ssh/sshd_config forces use of a bash login shell

Match User myuser
    ForceCommand /bin/bash -l

and allows sending environment variables

AcceptEnv LANG LC_* PASSWORD

When I login I supply PASSWORD as an environment variable, e.g. in ~/.ssh/config containing...

Host home
    User myuser
    SetEnv PASSWORD=longanddifficulttotypepassword

As long as I can remember my long and short passwords when I travel, I can login without SSH keys.

All I have to type to login is ssh home and my short password.

I'd like to build this feature into PAM but I've not yet found a way to pass a second token without user input.

If a hacker knows you are doing these things, the security weakens but it does not disappear. Telling everybody that your logins support !@#$%^&*()_+ in usernames makes dictionary attacks harder, even if you don't use those characters. Of course simple 2fa should not replace a functioning first layer.

• Don't use very weak passwords.
• PermitRootLogin prohibit-password
• AllowUsers ...
• Don't run ssh on port 22.

In your local /etc/ssh/ssh_config you probably want to ensure you dont accidentally send an env variable to a server that isn't your own

Host onlymyserver
    SendEnv LANG LC_* PASSWORD