Logo Logo OTP2Go
Sign in
SSH Security

Protect your SSH with OTP and Sysadmin approval

SSH Login with OTP verification, optional sysadmin approval and delivery via email, WhatsApp, Telegram or SMS. Per-host and per-operator policies, full audit and access to LLM/Agent via MCP server.

+ + Start now See how it works
Free (self-hosted) or Cloud.

Integration with LLM / MCP Server

Provide SSH server access to the LLM/Agent without sharing passwords or keys!

  1. Using OTP2Go:
  2. The LLM/Agent no longer needs access to your passwords or keys.
  3. Register the LLM/Agent as an operator, and through an MCP server it receives a unique OTP code for each access attempt.
  4. You can manage this operator through access policies, such as:
  5. - Restricting login to specific days and times;
  6. - Restricting access from specific IP addresses;
  7. - Restricting which system users can be used to log in (e.g., root, ubuntu, etc.);
  8. - All access attempts are logged;
  9. - Login notifications can be sent;
  10. LLM/Agent access can be blocked at any time directly from the control panel, either temporarily or permanently !
  11. The SSH server can run on Docker, VPS, Container, VM, or bare metal — it doesn’t matter !

Try the demo now!

Enter your details:

Letters and numbers only.

Enter a valid email address.

Use international format (E.164), e.g.: +5511999999999.

For demonstration purposes only. Your data will not be shared.

Connect to the demo SSH server:

1) SSH connection: provide your operator ID and use the OTP as the password.

ssh -p 2230 root@ssh.otp2go.com

# When prompted "Which operator:", enter your operator ID (e.g.: carlos)

# When prompted "Enter the code sent:", enter the OTP you received (e.g.: 123456)

2) The SSH server validates the OTP and grants access.

Requires configuring the SSH server to validate OTPs (e.g.: PAM module/stack that calls the OTP2Go verifier).

Actors involved in the flow

  1. 1) The SSH server you want to access.
  2. 2) The OTP2Go server that generates the OTP.
  3. 3) The operator attempting to connect and the contact channel where the OTP will be delivered — email, SMS, Telegram, WhatsApp, etc.
  4. Note: For demonstration we use only email and SMS, but in production you may use other channels such as Telegram, WhatsApp, or any delivery method accessible via API.

How the OTP flow works in this demo:

  1. You provide your operator ID, email, and mobile number.
  2. You connect to the demo SSH server (already configured with PAM.d for OTP authentication) using your operator ID.
  3. The SSH server validates your operator ID with the OTP2Go server and requests the OTP.
  4. The OTP2Go server generates a one-time password (OTP).
  5. This OTP is sent to your email and mobile number (via SMS).
  6. If the OTP entered is valid, access is granted.

Everything you need for secure SSH

Approval, policies, audit, and multiple delivery channels.

Per-host OTP

Algorithm, digits, and period per host (RFC 6238).

Sysadmin approval

Temporary link with nonce.

Multi-channel delivery

Email, WhatsApp, Telegram, SMS with fallback.

Access policies

Allowed users, working hours, source IP.

Encryption & HMAC

Optional AES-GCM and HMAC on every message.

Audit trail

Records in otps and interaction_records.

Security first

TLS, HMAC, AES-GCM, anti-replay, and contextual policies.

Encryption

HKDF + optional AES-GCM payload. HMAC SHA-256.

Policies

Working hours, allowed users and operator IP, sysadmin approval.

Anti-replay

Links with nonce and expiration; rate limiting per host/operator.

Audit

Trail in interaction_records and otps.

Delivery integrations

Email, WhatsApp, Telegram, and SMS. Set priority and fallback.

SMTP
WhatsApp API
Telegram Bot
SMS Provider

Simple plans

Start free and scale as needed.

Starter

PoC & testing

Free
  • • Self-hosted
  • • Delivery: Email (more custom channels via API available)
  • • Unlimited hosts, operators, sysadmins
  • • All features included
Start

Pro

Production

U$ 10/month
  • • Self-hosted or Cloud (yourname.otp2go.com)
  • • Delivery: Email, WhatsApp, Telegram, SMS (more custom channels via API available)
  • • Unlimited hosts, operators, sysadmins
  • • All features included
Talk to sales

Customized

On demand

U$ 150 (one-time fee)
  • • Self-hosted
  • • Delivery: what you need ?
  • • Unlimited hosts, operators, sysadmins
  • • All features included
Talk to sales

Frequently asked questions

Does the OTP work with any SSH server?

Yes, install and configure the PAM Python module.

Do I always need sysadmin approval?

Approval is optional per host. Without a sysadmin, the OTP is sent directly.

Which delivery channels are available?

Email (SMTP), WhatsApp (APIs), Telegram (bot), and SMS with configurable priority and fallback.

Ready to boost your SSH security?

Create your account and enable TOTP with approval in minutes.

Create account Sign in