FreshTomato Wiki

User Tools

Site Tools

Trace:
2fa

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
2fa [2023/09/14 09:48] – created rs2322fa [2024/10/28 15:11] (current) – -Correct instructions for: "/opt/etc/ssh/sshd_config" changes hogwild
Line 1: Line 1:
-===== Setting up 2FA for SSH using GoogleAuthenticator =====+====== Setting up 2FA for SSH using Google Authenticator ======
  
-[FIXME] - Currently just drop from the thread where this was posted: https://www.linksysinfo.org/index.php?threads/howto-set-up-2fa-openssh-with-google-authenticator.78183/#post-345032+This content was taken from Tomato forum thread: [[https://www.linksysinfo.org/index.php?threads/howto-set-up-2fa-openssh-with-google-authenticator.78183/#post-345032|HOWTO - Set up 2FA openssh with google authenticator]] .
  
-for openssh with google-authenticator as 2FA (root user only)+These are simple configuration notes, and not intended to be a complete HOWTO. This setup uses openssh with google-authenticator as 2-Factor Authentication. Only the "rootuser is supported.\\   \\   \\ **Prerequisites:** Install/setup entware if it isn't already installed. This is not covered here.\\  \\
  
-so this is not a full how-to just my overly simplified notes and configs+Install openssh-server and google-authenticator:
  
-the prerequisites : + \\
-- setup entware (not covered here)+
  
     opkg install openssh-server-pam google-authenticator-libpam     opkg install openssh-server-pam google-authenticator-libpam
  
-(hopefully this should cover all the dependencies) + \\
-- enable openssh server (not covered here)+
  
-now the configs:+If this completes without all dependencies, make sure to install any necessary ones.\\
  
-/opt/etc/init.d/S39pre_ssh+ \\  \\ 
 + 
 +Next, enable openssh-server . This is not covered here. 
 + 
 + \\ \\ Configure the correct settings in configuration file /opt/etc/init.d/S39pre_ssh
 + 
 + \\
  
     #!/bin/sh     #!/bin/sh
Line 44: Line 48:
     exit 0     exit 0
  
-this new service needs to be enabled at boot-time as well+ \\
  
-/opt/etc/ssh/sshd_config (only what's changed from the default - I believe)+The new service must be enabled at boot time as well. Make the following changes to the file: "/opt/etc/ssh/sshd_config
 + 
 + \\
  
     Port 2222 # to be changed if desired     Port 2222 # to be changed if desired
Line 58: Line 64:
     HostKey /opt/etc/ssh/ssh_host_ed25519_key     HostKey /opt/etc/ssh/ssh_host_ed25519_key
  
 + \\
  
 grep -v "#" /opt/etc/pam.d/sshd grep -v "#" /opt/etc/pam.d/sshd
 +
 + \\
  
     auth required pam_env.so     auth required pam_env.so
Line 68: Line 77:
  
     account required pam_nologin.so     account required pam_nologin.so
- 
  
     account include common-account     account include common-account
Line 79: Line 87:
  
     session required pam_limits.so     session required pam_limits.so
- 
  
     password include common-password     password include common-password
  
 + \\
  
-now run the google-auth setup and it will guide you on the steps:+ \\ 
 + 
 +Now, run google-auth setup and follow the steps: 
 + 
 + \\
  
     google-authenticator     google-authenticator
  
-make sure you register the TOTP code or load into an app like AndOTP + \\ 
-now it's time to move its config file to /opt/etc+ 
 +Remember to register the TOTP codeor load into an app such as AndOTP. 
 + 
 + \\ 
 + 
 + \\ 
 + 
 +Next, move its config file (.google_authenticator) to the /opt/etc directory: 
 + 
 + \\
  
     mv .google_authenticator /opt/etc/     mv .google_authenticator /opt/etc/
  
-make sure the permission of the file are 0600 (very important)+ \\ 
 + 
 +Next, Verify the permissions on the file are "0600" . This is very important
 + 
 + \\
  
     chmod 0600 /opt/etc/.google_authenticator     chmod 0600 /opt/etc/.google_authenticator
  
 + \\
  
-now if memory serves me well you can start the sshd service:+Now, you should be able to start the sshd service: 
 + 
 + \\
  
     /opt/etc/init.d/S40sshd start     /opt/etc/init.d/S40sshd start
  
-and test it from the LAN side:+ \\ 
 + 
 + \\ Next, test the configuration from the LAN side by typing the following at the command prompt: 
 + 
 + \\ 
 + 
 +    ssh -p 2222 root@<lan-ip-of-freshtomato-router> 
 + 
 + \\
  
-    ssh -p 2222 root@<lan-ip-of-tomato-router>+You should see the following:
  
-and you should be greeted by:+ \\
  
     The authenticity of host '[192.168.1.1]:2222 ([192.168.1.1]:2222)' can't be established.     The authenticity of host '[192.168.1.1]:2222 ([192.168.1.1]:2222)' can't be established.
Line 113: Line 149:
     Are you sure you want to continue connecting (yes/no/[fingerprint])? yes     Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
  
-and now the most important part+ \\ 
 + 
 +After typing Yes, you should see the following: 
 + 
 + \\
  
     Keyboard-interactive authentication prompts from server:     Keyboard-interactive authentication prompts from server:
     | Verification code:     | Verification code:
  
-that means that only 2FA authentication is working+ \\ If you see this, it means that 2FA is the only authentication operating. You can now expose port 2222 (or the port you configured) to the Internet. .
  
-you can how expose port 2222 (or the one you configured) to the internet (not covered here)+ \\
  
-@Moderators - please edit/move this post as needed+ \\
  
 PS - /opt/etc/environment is the default - only comments - so nothing to change - maybe a "touch /etc/environment" should have been enough PS - /opt/etc/environment is the default - only comments - so nothing to change - maybe a "touch /etc/environment" should have been enough
 +
 +
2fa.1694681281.txt.gz · Last modified: 2023/09/14 09:48 by rs232

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki