FreshTomato Wiki

User Tools

Site Tools

Trace: 2fa

Sidebar

freshtomato.org

Wiki

▸ About

▸ Releases

▸ Hardware compatibility

▸ 3G/4G/5G compatibility

▸ Feature matrix

▸ Documentation

▸ HOWTOs

▸ FAQ

Forum

AX

Download

Changelog

Development

Bug track

ARM

Download

Changelog

Development

Bug track

MIPS

Download

Changelog

Development

Bug track


TomatoAnon

✔️ Help (WikiText Syntax)

🧑‍🤝‍🧑 Credits

💰 Donations

2fa

Setting up 2FA for SSH using Google Authenticator

This content was taken from the following forum thread:
https://www.linksysinfo.org/index.php?threads/howto-set-up-2fa-openssh-with-google-authenticator.78183/#post-345032


These are simple configuration notes and thus not intended to be a complete HOWTO.

This setup uses openssh with google-authenticator as 2-Factor Authentication. Only the root user is supported.


Prerequisite: Install/setup entware if it's not already installed. This is not covered here. <Link?>


Next, install openssh-server and google-authenticator: 

  opkg install openssh-server-pam google-authenticator-libpam

Hopefully, this will include all dependencies.


Next, enable openssh-server . This is not covered here. <Link?>

Next, configure the correct settings in configuration file /opt/etc/init.d/S39pre_ssh : 

  #!/bin/sh
  ENABLED=yes
  prefix="/opt"
  PATH=${prefix}/bin:${prefix}/sbin:/sbin:/bin:/usr/sbin:/usr/bin
  start() {
  mkdir -p /var/empty
  chmod 755 /var/empty
  cp /opt/etc/.google_authenticator /root/.google_authenticator
  cp /opt/etc/environment /etc/environment
  }
  case "$1" in
  start)
  start
  ;;
  *)
  echo "Usage: $0 (start)"
  exit 1
  ;;
  esac
  exit 0


The new service must be enabled at boot time as well:


Next, run /opt/etc/ssh/sshd_config and change the following from the defaults: 

  Port 2222 # to be changed if desired
  UsePAM yes
  PermitRootLogin yes
  ChallengeResponseAuthentication yes
  PasswordAuthentication no
  Subsystem sftp /opt/lib/sftp-server
  AuthorizedKeysFile .ssh/authorized_keys
  HostKey /opt/etc/ssh/ssh_host_rsa_key
  HostKey /opt/etc/ssh/ssh_host_ed25519_key


grep -v “#” /opt/etc/pam.d/sshd 

  auth required pam_env.so
  auth required pam_google_authenticator.so
  auth include common-auth
  account required pam_nologin.so
  account include common-account
  session include common-session
  session optional pam_motd.so
  session optional pam_mail.so standard noenv
  session required pam_limits.so
  password include common-password


Now, run google-auth setup and follow the steps: 

  google-authenticator

Remember to register the TOTP code, or load into an app such as AndOTP.


Next, move its config file (.google_authenticator) to the /opt/etc directory: 

  mv .google_authenticator /opt/etc/


Next, Verify the permissions on the file are 0600 . This is very important. 

  chmod 0600 /opt/etc/.google_authenticator


Now, you should be able to start the sshd service: 

  /opt/etc/init.d/S40sshd start


Next, test the configuration from the LAN side by typing the following at the command prompt: 

  ssh -p 2222 root@<lan-ip-of-freshtomato-router>

You should see the following: 

  The authenticity of host '[192.168.1.1]:2222 ([192.168.1.1]:2222)' can't be established.
  ED25519 key fingerprint is SHA256:<sha256-here>.
  This key is not known by any other names.
  Are you sure you want to continue connecting (yes/no/[fingerprint])? yes


After typing Yes, you should see the following: 

  Keyboard-interactive authentication prompts from server:
  | Verification code:

If you see this, it means that 2FA is the only authentication operating.


You can now expose port 2222 (or the port you configured) to the Internet (not covered here).



PS - /opt/etc/environment is the default - only comments - so nothing to change - maybe a “touch /etc/environment” should have been enough

2fa.txt · Last modified: 2024/05/03 18:40 by hogwild

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki