This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionLast revisionBoth sides next revision | ||
2fa [2024/05/03 17:19] – -condense, grammar, formatting hogwild | 2fa [2024/05/03 18:38] – -formatting, change text to "Next, run /opt/etc/ssh/sshd_config and change the following from the defaults:" hogwild | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | ===== Setting up 2FA for SSH using GoogleAuthenticator | + | ====== Setting up 2FA for SSH using Google Authenticator ====== |
- | [FIXME] - Currently, this is simply an excerpt | + | This content was taken from the following |
- | This uses openssh with google-authenticator as 2-Factor Authentication. Only the root user is supported. | + | \\ |
- | These are simple configuration notes. They are not intended to be a complete HOWTO. | + | These are simple configuration notes and thus not intended to be a complete HOWTO. |
- | Prerequisites : - setup entware | + | This setup uses openssh with google-authenticator as 2-Factor Authentication. Only the root user is supported. |
+ | |||
+ | \\ | ||
+ | |||
+ | Prerequisite: | ||
+ | |||
+ | \\ Next, install openssh-server and google-authenticator: | ||
opkg install openssh-server-pam google-authenticator-libpam | opkg install openssh-server-pam google-authenticator-libpam | ||
- | (hopefully | + | Hopefully, |
+ | |||
+ | \\ | ||
- | now the configs: | + | Next, enable openssh-server . This is not covered here. < |
- | / | + | Next, configure the correct settings in configuration file / |
#!/bin/sh | #!/bin/sh | ||
Line 42: | Line 50: | ||
exit 0 | exit 0 | ||
- | this new service needs to be enabled at boot-time as well | + | \\ |
- | / | + | The new service must be enabled at boot time as well: |
+ | |||
+ | \\ | ||
+ | |||
+ | Next, run / | ||
Port 2222 # to be changed if desired | Port 2222 # to be changed if desired | ||
Line 55: | Line 67: | ||
HostKey / | HostKey / | ||
HostKey / | HostKey / | ||
+ | |||
+ | \\ | ||
grep -v "#" | grep -v "#" | ||
Line 78: | Line 92: | ||
password include common-password | password include common-password | ||
- | now run the google-auth setup and it will guide you on the steps: | + | \\ |
+ | |||
+ | Now, run google-auth setup and follow | ||
google-authenticator | google-authenticator | ||
- | make sure you register the TOTP code or load into an app like AndOTP | + | Remember to register the TOTP code, or load into an app such as AndOTP. |
+ | |||
+ | \\ | ||
+ | |||
+ | Next, move its config file (.google_authenticator) | ||
mv .google_authenticator /opt/etc/ | mv .google_authenticator /opt/etc/ | ||
- | make sure the permission of the file are 0600 (very important) | + | \\ |
+ | |||
+ | Next, Verify | ||
chmod 0600 / | chmod 0600 / | ||
- | now if memory serves me well you can start the sshd service: | + | \\ |
+ | |||
+ | Now, you should be able to start the sshd service: | ||
/ | / | ||
- | and test it from the LAN side: | + | \\ |
- | ssh -p 2222 root@< | + | Next, test the configuration from the LAN side: |
- | and you should | + | ssh -p 2222 root@< |
+ | |||
+ | You should | ||
The authenticity of host ' | The authenticity of host ' | ||
Line 105: | Line 131: | ||
Are you sure you want to continue connecting (yes/ | Are you sure you want to continue connecting (yes/ | ||
- | and now the most important part | + | \\ |
+ | |||
+ | After typing " | ||
Keyboard-interactive authentication prompts from server: | Keyboard-interactive authentication prompts from server: | ||
| Verification code: | | Verification code: | ||
- | that means that only 2FA authentication | + | If you see this, it means that 2FA is the only authentication |
+ | |||
+ | \\ | ||
+ | |||
+ | You can now expose port 2222 (or the port you configured) to the Internet (not covered here). | ||
- | you can how expose port 2222 (or the one you configured) to the internet (not covered here) | + | \\ |
- | @Moderators - please edit/move this post as needed | + | \\ |
PS - / | PS - / | ||