| Author: | mricon@kernel.org |
|---|---|
| Copyright: | Konstantin Ryabitsev and contributors |
| License: | GPLv2+ |
| Version: | 0.7.1 |
You should almost certainly not be deploying this for a new project.
totpcgi was first written in 2012 and has not received meaningful new development since 2019. It is kept buildable on currently-supported distributions (AlmaLinux 10 / RHEL 10 / Python 3.12) for the benefit of existing deployments only. New features are not planned; bug fixes are best-effort.
If you are reaching for this in 2026, please look elsewhere first:
- For SSH 2-factor authentication, prefer FIDO2 / WebAuthn hardware
tokens (e.g. yubikey) with
ssh-ed25519-sk/ssh-ecdsa-skkeys. - For PAM TOTP, Google's
pam_google_authenticatoris actively maintained and lives in most distro repos. - For a full enterprise 2FA / OTP server,
privacyIDEAis the modern, actively-developed equivalent of what totpcgi does.
- Python 3.13+ is not supported. The CGI scripts use the stdlib
cgiandcgitbmodules, which were removed outright from Python 3.13 per PEP 594. The project works on Python 3.12 (the version shipped by AlmaLinux 10 / RHEL 10) but will fail to import on any newer interpreter without significant rework. There is currently no plan to do that rework — see "life support", above.
The idea of totpcgi (pronounced "Toopy-CGI") came when lamenting that google-authenticator implementation is "almost there" to be used as a generic org-wide 2-factor solution, but is annoyingly written to be a one-secret-per-service (or -per-host) solution. Thus, totpcgi was born, which uses files generated by google-authenticator and serves them from a central installation.
It is intended to be used with pam_url.
- Fully interoperable with Google-Authenticator
- Uses Google-Authenticator-generated secret files
- Supports pincodes (i.e. users log in with 'usercode555555')
- Supports file-based state backend for non-redundant installations and Postgresql for load-balanced setups.
- Supports encrypting the Google-Authenticator master secret with the user's pincode.
- Supports web-based provisioning to generate Google-Authenticator compatible files (or database entries).
- pyotp
- google-authenticator to generate the .totp files by hand
- flup (for .fcgi only)
- psycopg2 (for postgresql backend support)
- py-bcrypt (for pincode support using bcrypt)
- pycrypto and passlib (for encrypted-secret support)
- pam_url (for PAM support)
- python-qrcode (for provisioning support)
- MySQL-python (for MySQL backend support)
All of these dependencies are in EPEL for RHEL 6.
- Konstantin Ryabitsev <mricon@kernel.org>
- Andrew Grimberg <agrimberg@linuxfoundation.org>
Please open an issue on GitHub: https://github.com/mricon/totp-cgi/issues