I'm looking for a way to prompt a user to enter a secret token when logging in via SSH. Yes, I know they have to enter a username/password already, but I want them to enter an additional secret token.
I've heard that it's possible to make either PAM or SSHD run a script first, and the script can then drop you to shell when it's done. This would be ideal- we could make it drop you to a Python or PHP script, prompt for the token there, and then if the token is entered correctly, drop you to the shell. If you have a better suggestion for how to do it (custom PAM module?), I'm open to suggestions.
All I want you to do is configure this on a dev machine I'll give you access to. You don't have to write the script, you just have to configure whatever so that the script runs when you try to log in via SSH.
It *must be secure*. It doesn't help me if there's a way to bypass the script. :-)