This shows you the differences between two versions of the page.
Next revision | Previous revisionNext revisionBoth sides next revision | ||
2fa [2023/09/14 09:48] – created rs232 | 2fa [2024/05/03 17:33] – -formatting hogwild | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | ===== Setting up 2FA for SSH using GoogleAuthenticator ===== | + | ====== Setting up 2FA for SSH using GoogleAuthenticator |
- | [FIXME] - Currently just a drop from the thread | + | This is content taken from the following forum thread: |
- | for openssh with google-authenticator as 2FA (root user only) | + | These are simple configuration notes and are not intended to be a complete HOWTO. |
- | so this is not a full how-to just my overly simplified notes and configs | + | This setup uses openssh with google-authenticator as 2-Factor Authentication. Only the root user is supported. |
- | the prerequisites : | + | \\ |
- | - setup entware | + | |
+ | Prerequisites : Install/setup entware. This is not covered here. < | ||
+ | |||
+ | \\ First, we must install openssh-server and google-authenticator: | ||
opkg install openssh-server-pam google-authenticator-libpam | opkg install openssh-server-pam google-authenticator-libpam | ||
- | (hopefully | + | Hopefully |
- | - enable openssh server (not covered here) | + | |
+ | \\ | ||
- | now the configs: | + | Next, we need to enable openssh-server . This is not covered here. < |
- | / | + | Now we configure the correct settings in configuration file / |
#!/bin/sh | #!/bin/sh | ||
Line 44: | Line 48: | ||
exit 0 | exit 0 | ||
- | this new service needs to be enabled at boot-time as well | + | \\ |
- | / | + | The new service must be enabled at boot time as well: |
+ | |||
+ | / | ||
Port 2222 # to be changed if desired | Port 2222 # to be changed if desired | ||
Line 57: | Line 63: | ||
HostKey / | HostKey / | ||
HostKey / | HostKey / | ||
- | |||
grep -v "#" | grep -v "#" | ||
Line 68: | Line 73: | ||
account required pam_nologin.so | account required pam_nologin.so | ||
- | |||
account include common-account | account include common-account | ||
Line 79: | Line 83: | ||
session required pam_limits.so | session required pam_limits.so | ||
- | |||
password include common-password | password include common-password | ||
- | |||
now run the google-auth setup and it will guide you on the steps: | now run the google-auth setup and it will guide you on the steps: | ||
Line 88: | Line 90: | ||
google-authenticator | google-authenticator | ||
- | make sure you register the TOTP code or load into an app like AndOTP | + | make sure you register the TOTP code or load into an app like AndOTP now it's time to move its config file to /opt/etc |
- | now it's time to move its config file to /opt/etc | + | |
mv .google_authenticator /opt/etc/ | mv .google_authenticator /opt/etc/ | ||
Line 96: | Line 97: | ||
chmod 0600 / | chmod 0600 / | ||
- | |||
now if memory serves me well you can start the sshd service: | now if memory serves me well you can start the sshd service: | ||
Line 125: | Line 125: | ||
PS - / | PS - / | ||
+ | |||
+ |