FreshTomato Wiki

User Tools

Site Tools

Trace:
2fa

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Last revisionBoth sides next revision
2fa [2024/05/03 18:09] – -formatting, condense hogwild2fa [2024/05/03 18:38] – -formatting, change text to "Next, run /opt/etc/ssh/sshd_config and change the following from the defaults:" hogwild
Line 11: Line 11:
  \\  \\
  
-Prerequisite: Install/setup entware. This is not covered here. <Link?> \\+Prerequisite: Install/setup entware if it's not already installed. This is not covered here. <Link?> \\
  
- \\ First, install openssh-server and google-authenticator:+ \\ Next, install openssh-server and google-authenticator:
  
     opkg install openssh-server-pam google-authenticator-libpam     opkg install openssh-server-pam google-authenticator-libpam
Line 54: Line 54:
 The new service must be enabled at boot time as well: The new service must be enabled at boot time as well:
  
-/opt/etc/ssh/sshd_config (most likely only what's changed from the default)+ \\ 
 + 
 +Next, run /opt/etc/ssh/sshd_config and change the following from the defaults:
  
     Port 2222 # to be changed if desired     Port 2222 # to be changed if desired
Line 65: Line 67:
     HostKey /opt/etc/ssh/ssh_host_rsa_key     HostKey /opt/etc/ssh/ssh_host_rsa_key
     HostKey /opt/etc/ssh/ssh_host_ed25519_key     HostKey /opt/etc/ssh/ssh_host_ed25519_key
 +
 + \\
  
 grep -v "#" /opt/etc/pam.d/sshd grep -v "#" /opt/etc/pam.d/sshd
Line 90: Line 94:
  \\  \\
  
-Now, run the google-auth setup and go through the steps:+Now, run google-auth setup and follow the steps:
  
     google-authenticator     google-authenticator
Line 98: Line 102:
  \\  \\
  
-Now, move its config file to the /opt/etc directory:+Next, move its config file (.google_authenticator) to the /opt/etc directory:
  
     mv .google_authenticator /opt/etc/     mv .google_authenticator /opt/etc/
Line 104: Line 108:
  \\  \\
  
-Verify the permissions on the file are 0600 . This is very important.+Next, Verify the permissions on the file are 0600 . This is very important.
  
     chmod 0600 /opt/etc/.google_authenticator     chmod 0600 /opt/etc/.google_authenticator
Line 110: Line 114:
  \\  \\
  
-Now you should be able to start the sshd service:+Nowyou should be able to start the sshd service:
  
     /opt/etc/init.d/S40sshd start     /opt/etc/init.d/S40sshd start
Line 116: Line 120:
  \\  \\
  
-Now, test it from the LAN side:+Next, test the configuration from the LAN side:
  
-    ssh -p 2222 root@<lan-ip-of-tomato-router>+    ssh -p 2222 root@<lan-ip-of-freshtomato-router>
  
-The following text should be output:+You should see the following output:
  
     The authenticity of host '[192.168.1.1]:2222 ([192.168.1.1]:2222)' can't be established.     The authenticity of host '[192.168.1.1]:2222 ([192.168.1.1]:2222)' can't be established.
Line 129: Line 133:
  \\  \\
  
-Now, you should see the following:+After typing "y" for Yes, you should see the following:
  
     Keyboard-interactive authentication prompts from server:     Keyboard-interactive authentication prompts from server:
     | Verification code:     | Verification code:
  
-If you see this, it means that only 2FA authentication is working.+If you see this, it means that 2FA is the only authentication operating.
  
  \\  \\
  
-You can now expose port 2222 (or the port you configured) to the Iinternet (not covered here).+You can now expose port 2222 (or the port you configured) to the Internet (not covered here).
  
  \\  \\
2fa.txt · Last modified: 2024/05/03 18:40 by hogwild

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki