As a part of strengthening our security, we could implement (optional) 2FA for woodpecker access. This would mean that after verifying the user's SSH key, SSH/PAM would additionally ask for TOTP verification code. FWICS, this can be implemented using sys-auth/google-authenticator. I've tested it locally and it looks good. Most importantly, it supports being optional, so people who don't set 2FA up won't be affected. Since we don't allow password auth this should be relatively easy to set up. Basically we'd need to: 1. Install the package ;-) 2. Edit pam.d/sshd not to use google-auth instead of standard auth modules (removing pam_unix should do no harm as we don't permit password auth). 3. Modify sshd config to require 2-factor pubkey+password OR pubkey+keyboard-interactive auth.
