It's one thing to lock yourself out of your application or admin interface when NTP breaks. It's another thing entirely to lock yourself out of recovering the server entirely when clock skew inevitably hits you.
If you really want 2FA for SSH, use something like Yubikeys that increment a counter and generate tokens based on that counter. And use it during the actual authentication session, not for figuring out which magic port the server will be listening on. You never have to worry about synchronized clocks, just a database tracking the highest counter value ever seen, so that previous values can't be reused.
If you really want 2FA for SSH, use something like Yubikeys that increment a counter and generate tokens based on that counter. And use it during the actual authentication session, not for figuring out which magic port the server will be listening on. You never have to worry about synchronized clocks, just a database tracking the highest counter value ever seen, so that previous values can't be reused.