I'm not sure if I should be asking this here or in Server Fault, feel free to flag the question and migrate it if necessary.
I have some servers which I would like to add an extra security layer. Actually we are using key authentication with passphrase.
We bought some Yubikeys (OTP password generator) that I would like to use. I created a system that validates the Yubikey and that the owner of the Yubikey is authorized to login. In order to use this system I created the ~/.ssh/rc where I ask the user to press the Yubikey and then I use a remote server to validate it.
So far so good, it works perfectly when trying to login via ssh. Here comes the problem: when I try to scp to a server that has this extra protection it throws the following error:
/dev/tty: No such device or address
The error is thrown by the line where I ask the user to enter the OTP:
read -sp "Press your Yubikey..." OTP < /dev/tty
This doesn't happen when I ssh from one server to another that has this extra protection.
scp doesn't start an interactive session so there isn't a terminal to connect to (and so no /dev/tty to read from).
You need to detect that and not try to read from it in that case.
That being said this is likely the wrong way to have gone about doing this. ssh is most likely configured on your system to use pam and there is a pam module for yubikey that can be used to use a yubikey as part of the ssh authentication for an account. See https://developers.yubico.com/yubico-pam/ for the basics.
Their configuration uses the yubikey as the only authentication you will need to configure pam slightly differently to get it to be an additional piece of required login information instead. (Assuming, of course, that you want this to work for the scp case instead of just skipping it for the scp case.)