FreshTomato Wiki

User Tools

Site Tools

Trace:
2fa

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Last revisionBoth sides next revision
2fa [2024/05/03 18:01] hogwild2fa [2024/05/03 18:38] – -formatting, change text to "Next, run /opt/etc/ssh/sshd_config and change the following from the defaults:" hogwild
Line 1: Line 1:
-====== Setting up 2FA for SSH using GoogleAuthenticator ======+====== Setting up 2FA for SSH using Google Authenticator ======
  
-This is content taken from the following forum thread: \\ [[https://www.linksysinfo.org/index.php?threads/howto-set-up-2fa-openssh-with-google-authenticator.78183/#post-345032]]+This content was taken from the following forum thread: \\ [[https://www.linksysinfo.org/index.php?threads/howto-set-up-2fa-openssh-with-google-authenticator.78183/#post-345032]]
  
-These are simple configuration notes and are not intended to be a complete HOWTO.+ \\ 
 + 
 +These are simple configuration notes and thus not intended to be a complete HOWTO.
  
 This setup uses openssh with google-authenticator as 2-Factor Authentication. Only the root user is supported. This setup uses openssh with google-authenticator as 2-Factor Authentication. Only the root user is supported.
Line 9: Line 11:
  \\  \\
  
-Prerequisite: Install/setup entware. This is not covered here. <Link?> \\+Prerequisite: Install/setup entware if it's not already installed. This is not covered here. <Link?> \\
  
- \\ Firstwe install openssh-server and google-authenticator:+ \\ Next, install openssh-server and google-authenticator:
  
     opkg install openssh-server-pam google-authenticator-libpam     opkg install openssh-server-pam google-authenticator-libpam
  
-Hopefully this will include all dependencies. \\+Hopefullythis will include all dependencies. \\
  
  \\  \\
  
-Next, we enable openssh-server . This is not covered here. <Link?> \\  \\+Next, enable openssh-server . This is not covered here. <Link?> \\  \\
  
-Next, we configure the correct settings in configuration file /opt/etc/init.d/S39pre_ssh : \\  \\+Next, configure the correct settings in configuration file /opt/etc/init.d/S39pre_ssh : \\  \\
  
     #!/bin/sh     #!/bin/sh
Line 52: Line 54:
 The new service must be enabled at boot time as well: The new service must be enabled at boot time as well:
  
-/opt/etc/ssh/sshd_config (most likely only what's changed from the default)+ \\ 
 + 
 +Next, run /opt/etc/ssh/sshd_config and change the following from the defaults:
  
     Port 2222 # to be changed if desired     Port 2222 # to be changed if desired
Line 63: Line 67:
     HostKey /opt/etc/ssh/ssh_host_rsa_key     HostKey /opt/etc/ssh/ssh_host_rsa_key
     HostKey /opt/etc/ssh/ssh_host_ed25519_key     HostKey /opt/etc/ssh/ssh_host_ed25519_key
 +
 + \\
  
 grep -v "#" /opt/etc/pam.d/sshd grep -v "#" /opt/etc/pam.d/sshd
Line 86: Line 92:
     password include common-password     password include common-password
  
-now run the google-auth setup and it will guide you on the steps:+ \\ 
 + 
 +Now, run google-auth setup and follow the steps:
  
     google-authenticator     google-authenticator
  
-make sure you register the TOTP code or load into an app like AndOTP now it's time to move its config file to /opt/etc+Remember to register the TOTP codeor load into an app such as AndOTP
 + 
 + \\ 
 + 
 +Next, move its config file (.google_authenticator) to the /opt/etc directory:
  
     mv .google_authenticator /opt/etc/     mv .google_authenticator /opt/etc/
  
-make sure the permission of the file are 0600 (very important)+ \\ 
 + 
 +Next, Verify the permissions on the file are 0600 . This is very important.
  
     chmod 0600 /opt/etc/.google_authenticator     chmod 0600 /opt/etc/.google_authenticator
  
-now if memory serves me well you can start the sshd service:+ \\ 
 + 
 +Now, you should be able to start the sshd service:
  
     /opt/etc/init.d/S40sshd start     /opt/etc/init.d/S40sshd start
  
-and test it from the LAN side:+ \\
  
-    ssh -p 2222 root@<lan-ip-of-tomato-router>+Next, test the configuration from the LAN side:
  
-and you should be greeted by:+    ssh -p 2222 root@<lan-ip-of-freshtomato-router> 
 + 
 +You should see the following output:
  
     The authenticity of host '[192.168.1.1]:2222 ([192.168.1.1]:2222)' can't be established.     The authenticity of host '[192.168.1.1]:2222 ([192.168.1.1]:2222)' can't be established.
Line 113: Line 131:
     Are you sure you want to continue connecting (yes/no/[fingerprint])? yes     Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
  
-and now the most important part+ \\ 
 + 
 +After typing "y" for Yes, you should see the following:
  
     Keyboard-interactive authentication prompts from server:     Keyboard-interactive authentication prompts from server:
     | Verification code:     | Verification code:
  
-that means that only 2FA authentication is working+If you see this, it means that 2FA is the only authentication operating.
  
-you can how expose port 2222 (or the one you configured) to the internet (not covered here)+ \\
  
-@Moderators - please edit/move this post as needed+You can now expose port 2222 (or the port you configured) to the Internet (not covered here). 
 + 
 + \\ 
 + 
 + \\
  
 PS - /opt/etc/environment is the default - only comments - so nothing to change - maybe a "touch /etc/environment" should have been enough PS - /opt/etc/environment is the default - only comments - so nothing to change - maybe a "touch /etc/environment" should have been enough
  
  
2fa.txt · Last modified: 2024/05/03 18:40 by hogwild

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki