[FEAT] Add support for OTP / 2FA (e.g. Google Authenticator) via PAM

[SckyzO]

Is this a new feature request?

• I have searched the existing issues

Wanted change

Add support for OTP / 2FA authentication (e.g. via PAM with Google Authenticator or compatible modules) for SSH connections in the container.

This could be implemented as an optional feature (e.g. environment variable like ENABLE_OTP=true) that:

• installs and enables a PAM OTP module (such as libpam-google-authenticator)
• configures /etc/pam.d/sshd
• updates sshd_config to support keyboard-interactive authentication

Reason for change

Currently, the container supports password and/or public key authentication, but does not provide built-in support for a second authentication factor.

Adding OTP would significantly improve security, especially for:

• internet-exposed SSH services
• homelab setups
• production environments requiring stronger authentication

At the moment, users must build custom images and manually configure PAM, which adds complexity and reduces usability.

Providing native support (or an officially documented option) would make 2FA adoption much easier and more consistent.

Proposed code change

High-level approach:

Install PAM module:

apt-get update && apt-get install -y libpam-google-authenticator

Update /etc/pam.d/sshd:

auth required pam_google_authenticator.so

Update sshd_config:

ChallengeResponseAuthentication yes
UsePAM yes
AuthenticationMethods publickey,keyboard-interactive

Optional:

• Add env variable ENABLE_OTP=true
• Conditionally apply configuration at container startup
• Optionally allow per-user setup (user runs google-authenticator inside container)

[github-actions]

Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid.