This shows you the differences between two versions of the page.
Next revision | Previous revision | ||
2fa [2023/09/14 09:48] – created rs232 | 2fa [2024/05/03 18:40] (current) – hogwild | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | ===== Setting up 2FA for SSH using GoogleAuthenticator | + | ====== Setting up 2FA for SSH using Google Authenticator ====== |
- | [FIXME] - Currently just a drop from the thread | + | This content was taken from the following forum thread: |
- | for openssh with google-authenticator as 2FA (root user only) | + | \\ |
- | so this is not a full how-to just my overly simplified | + | These are simple configuration |
- | the prerequisites : | + | This setup uses openssh with google-authenticator as 2-Factor Authentication. Only the root user is supported. |
- | - setup entware | + | |
+ | \\ | ||
+ | |||
+ | Prerequisite: | ||
+ | |||
+ | \\ Next, install openssh-server and google-authenticator: | ||
opkg install openssh-server-pam google-authenticator-libpam | opkg install openssh-server-pam google-authenticator-libpam | ||
- | (hopefully | + | Hopefully, |
- | - enable openssh server (not covered here) | + | |
+ | \\ | ||
- | now the configs: | + | Next, enable openssh-server . This is not covered here. < |
- | / | + | Next, configure the correct settings in configuration file / |
#!/bin/sh | #!/bin/sh | ||
Line 44: | Line 50: | ||
exit 0 | exit 0 | ||
- | this new service needs to be enabled at boot-time as well | + | \\ |
- | / | + | The new service must be enabled at boot time as well: |
+ | |||
+ | \\ | ||
+ | |||
+ | Next, run / | ||
Port 2222 # to be changed if desired | Port 2222 # to be changed if desired | ||
Line 58: | Line 68: | ||
HostKey / | HostKey / | ||
+ | \\ | ||
grep -v "#" | grep -v "#" | ||
Line 68: | Line 79: | ||
account required pam_nologin.so | account required pam_nologin.so | ||
- | |||
account include common-account | account include common-account | ||
Line 79: | Line 89: | ||
session required pam_limits.so | session required pam_limits.so | ||
- | |||
password include common-password | password include common-password | ||
+ | \\ | ||
- | now run the google-auth setup and it will guide you on the steps: | + | Now, run google-auth setup and follow |
google-authenticator | google-authenticator | ||
- | make sure you register the TOTP code or load into an app like AndOTP | + | Remember to register the TOTP code, or load into an app such as AndOTP. |
- | now it's time to move its config file to /opt/etc | + | |
+ | \\ | ||
+ | |||
+ | Next, move its config file (.google_authenticator) | ||
mv .google_authenticator /opt/etc/ | mv .google_authenticator /opt/etc/ | ||
- | make sure the permission of the file are 0600 (very important) | + | \\ |
+ | |||
+ | Next, Verify | ||
chmod 0600 / | chmod 0600 / | ||
+ | \\ | ||
- | now if memory serves me well you can start the sshd service: | + | Now, you should be able to start the sshd service: |
/ | / | ||
- | and test it from the LAN side: | + | \\ |
+ | |||
+ | Next, test the configuration | ||
- | ssh -p 2222 root@< | + | ssh -p 2222 root@< |
- | and you should | + | You should |
The authenticity of host ' | The authenticity of host ' | ||
Line 113: | Line 131: | ||
Are you sure you want to continue connecting (yes/ | Are you sure you want to continue connecting (yes/ | ||
- | and now the most important part | + | \\ |
+ | |||
+ | After typing Yes, you should see the following: | ||
Keyboard-interactive authentication prompts from server: | Keyboard-interactive authentication prompts from server: | ||
| Verification code: | | Verification code: | ||
- | that means that only 2FA authentication | + | If you see this, it means that 2FA is the only authentication |
- | you can how expose port 2222 (or the one you configured) to the internet (not covered here) | + | \\ |
- | @Moderators - please edit/move this post as needed | + | You can now expose port 2222 (or the port you configured) to the Internet (not covered here). |
+ | |||
+ | \\ | ||
+ | |||
+ | \\ | ||
PS - / | PS - / | ||
+ | |||
+ |