A centralized totp solution based on google-authenticator
Python Perl HTML Puppet Roff Shell CSS
Clone or download
mricon Support session-length validations
When the remote system uses systemd, it will set an XDG_SESSION_ID
variable per each new ssh session, meaning that when ssh multiplexing is
used (using ControlMaster option) we can validate the duration of the
ssh session instead of the whole IP.

The XDG_SESSION_ID variable is unique per system uptime, and since we
record it per user+ip, the chance of collisions is extremely low.

Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
Latest commit 110a33b May 23, 2017



A centralized totp solution based on google-authenticator

Author: mricon@kernel.org
Copyright: Konstantin Ryabitsev and contributors
Version: 0.6.0


The idea of totpcgi (pronounced "Toopy-CGI") came when lamenting that google-authenticator implementation is "almost there" to be used as a generic org-wide 2-factor solution, but is annoyingly written to be a one-secret-per-service (or -per-host) solution. Thus, totpcgi was born, which uses files generated by google-authenticator and serves them from a central installation.

It is intended to be used with pam_url.


  1. Fully interoperable with Google-Authenticator
  2. Uses Google-Authenticator-generated secret files
  3. Supports pincodes (i.e. users log in with 'usercode555555')
  4. Supports file-based state backend for non-redundant installations and Postgresql for load-balanced setups.
  5. Supports encrypting the Google-Authenticator master secret with the user's pincode.
  6. Supports web-based provisioning to generate Google-Authenticator compatible files (or database entries).


  1. pyotp
  2. google-authenticator to generate the .totp files by hand
  3. flup (for .fcgi only)
  4. psycopg2 (for postgresql backend support)
  5. py-bcrypt (for pincode support using bcrypt)
  6. pycrypto and passlib (for encrypted-secret support)
  7. pam_url (for PAM support)
  8. python-qrcode (for provisioning support)
  9. MySQL-python (for MySQL backend support)

All of these dependencies are in EPEL for RHEL 6.



Please open an issue on GitHub: https://github.com/mricon/totp-cgi/issues