FreshTomato Wiki

User Tools

Site Tools

Trace:
2fa

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
2fa [2024/05/03 18:09] – -formatting, condense hogwild2fa [2024/05/03 18:40] (current) hogwild
Line 11: Line 11:
  \\  \\
  
-Prerequisite: Install/setup entware. This is not covered here. <Link?> \\+Prerequisite: Install/setup entware if it's not already installed. This is not covered here. <Link?> \\
  
- \\ First, install openssh-server and google-authenticator:+ \\ Next, install openssh-server and google-authenticator:
  
     opkg install openssh-server-pam google-authenticator-libpam     opkg install openssh-server-pam google-authenticator-libpam
Line 54: Line 54:
 The new service must be enabled at boot time as well: The new service must be enabled at boot time as well:
  
-/opt/etc/ssh/sshd_config (most likely only what's changed from the default)+ \\ 
 + 
 +Next, run /opt/etc/ssh/sshd_config and change the following from the defaults:
  
     Port 2222 # to be changed if desired     Port 2222 # to be changed if desired
Line 65: Line 67:
     HostKey /opt/etc/ssh/ssh_host_rsa_key     HostKey /opt/etc/ssh/ssh_host_rsa_key
     HostKey /opt/etc/ssh/ssh_host_ed25519_key     HostKey /opt/etc/ssh/ssh_host_ed25519_key
 +
 + \\
  
 grep -v "#" /opt/etc/pam.d/sshd grep -v "#" /opt/etc/pam.d/sshd
Line 90: Line 94:
  \\  \\
  
-Now, run the google-auth setup and go through the steps:+Now, run google-auth setup and follow the steps:
  
     google-authenticator     google-authenticator
Line 98: Line 102:
  \\  \\
  
-Now, move its config file to the /opt/etc directory:+Next, move its config file (.google_authenticator) to the /opt/etc directory:
  
     mv .google_authenticator /opt/etc/     mv .google_authenticator /opt/etc/
Line 104: Line 108:
  \\  \\
  
-Verify the permissions on the file are 0600 . This is very important.+Next, Verify the permissions on the file are 0600 . This is very important.
  
     chmod 0600 /opt/etc/.google_authenticator     chmod 0600 /opt/etc/.google_authenticator
Line 110: Line 114:
  \\  \\
  
-Now you should be able to start the sshd service:+Nowyou should be able to start the sshd service:
  
     /opt/etc/init.d/S40sshd start     /opt/etc/init.d/S40sshd start
Line 116: Line 120:
  \\  \\
  
-Now, test it from the LAN side:+Next, test the configuration from the LAN side by typing the following at the command prompt:
  
-    ssh -p 2222 root@<lan-ip-of-tomato-router>+    ssh -p 2222 root@<lan-ip-of-freshtomato-router>
  
-The following text should be output:+You should see the following:
  
     The authenticity of host '[192.168.1.1]:2222 ([192.168.1.1]:2222)' can't be established.     The authenticity of host '[192.168.1.1]:2222 ([192.168.1.1]:2222)' can't be established.
Line 129: Line 133:
  \\  \\
  
-Now, you should see the following:+After typing Yes, you should see the following:
  
     Keyboard-interactive authentication prompts from server:     Keyboard-interactive authentication prompts from server:
     | Verification code:     | Verification code:
  
-If you see this, it means that only 2FA authentication is working.+If you see this, it means that 2FA is the only authentication operating.
  
  \\  \\
  
-You can now expose port 2222 (or the port you configured) to the Iinternet (not covered here).+You can now expose port 2222 (or the port you configured) to the Internet (not covered here).
  
  \\  \\
2fa.1714756179.txt.gz · Last modified: 2024/05/03 18:09 by hogwild

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki