This content was taken from a Tomato forum thread: HOWTO - Set up 2FA openssh with google authenticator .

These are simple configuration notes, and not intended to be a complete HOWTO. This setup uses openssh with google-authenticator as 2-Factor Authentication. Only the “root” user is supported.


Prerequisites: Install/setup entware if it isn't already installed. This is not covered here.

Install openssh-server and google-authenticator:

  opkg install openssh-server-pam google-authenticator-libpam

If this completes without all dependencies, make sure to install any necessary ones.

Next, enable openssh-server . This is not covered here.

Configure the correct settings in configuration file /opt/etc/init.d/S39pre_ssh:

  #!/bin/sh

  ENABLED=yes
  prefix="/opt"
  PATH=${prefix}/bin:${prefix}/sbin:/sbin:/bin:/usr/sbin:/usr/bin

  start() {
  mkdir -p /var/empty
  chmod 755 /var/empty
  cp /opt/etc/.google_authenticator /root/.google_authenticator
  cp /opt/etc/environment /etc/environment
  }

  case "$1" in
  start)
  start
  ;;
  *)
  echo "Usage: $0 (start)"
  exit 1
  ;;
  esac

  exit 0

The new service must be enabled at boot time as well. Make the following changes to the file: “/opt/etc/ssh/sshd_config:

  Port 2222 # to be changed if desired
  UsePAM yes
  PermitRootLogin yes
  ChallengeResponseAuthentication yes
  PasswordAuthentication no
  Subsystem sftp /opt/lib/sftp-server
  AuthorizedKeysFile .ssh/authorized_keys
  HostKey /opt/etc/ssh/ssh_host_rsa_key
  HostKey /opt/etc/ssh/ssh_host_ed25519_key

grep -v ”#“ /opt/etc/pam.d/sshd

  auth required pam_env.so

  auth required pam_google_authenticator.so

  auth include common-auth

  account required pam_nologin.so

  account include common-account

  session include common-session

  session optional pam_motd.so

  session optional pam_mail.so standard noenv

  session required pam_limits.so

  password include common-password

Now, run google-auth setup and follow the steps:

  google-authenticator

Remember to register the TOTP code, or load into an app such as AndOTP.

Next, move its config file (.google_authenticator) to the /opt/etc directory:

  mv .google_authenticator /opt/etc/

Next, Verify the permissions on the file are “0600” . This is very important.

  chmod 0600 /opt/etc/.google_authenticator

Now, you should be able to start the sshd service:

  /opt/etc/init.d/S40sshd start

Next, test the configuration from the LAN side by typing the following at the command prompt:

  ssh -p 2222 root@<lan-ip-of-freshtomato-router>

You should see the following:

  The authenticity of host '[192.168.1.1]:2222 ([192.168.1.1]:2222)' can't be established.
  ED25519 key fingerprint is SHA256:<sha256-here>.
  This key is not known by any other names.
  Are you sure you want to continue connecting (yes/no/[fingerprint])? yes

After typing Yes, you should see the following:

  Keyboard-interactive authentication prompts from server:
  | Verification code:

If you see this, it means that 2FA is the only authentication operating. You can now expose port 2222 (or the port you configured) to the Internet. .

PS - /opt/etc/environment is the default - only comments - so nothing to change - maybe a “touch /etc/environment” should have been enough