FreshTomato Wiki

User Tools

Site Tools

Trace:
2fa

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
2fa [2024/05/03 18:21] – changed to "it means that only 2FA authentication is operating" hogwild2fa [2024/10/28 15:11] (current) – -Correct instructions for: "/opt/etc/ssh/sshd_config" changes hogwild
Line 1: Line 1:
 ====== Setting up 2FA for SSH using Google Authenticator ====== ====== Setting up 2FA for SSH using Google Authenticator ======
  
-This content was taken from the following forum thread: \\ [[https://www.linksysinfo.org/index.php?threads/howto-set-up-2fa-openssh-with-google-authenticator.78183/#post-345032]]+This content was taken from a Tomato forum thread: [[https://www.linksysinfo.org/index.php?threads/howto-set-up-2fa-openssh-with-google-authenticator.78183/#post-345032|HOWTO - Set up 2FA openssh with google authenticator]] 
 + 
 +These are simple configuration notes, and not intended to be a complete HOWTO. This setup uses openssh with google-authenticator as 2-Factor Authentication. Only the "root" user is supported.\\   \\   \\ **Prerequisites:** Install/setup entware if it isn't already installed. This is not covered here.\\  \\ 
 + 
 +Install openssh-server and google-authenticator:
  
  \\  \\
  
-These are simple configuration notes and thus not intended to be a complete HOWTO. +    opkg install openssh-server-pam google-authenticator-libpam
- +
-This setup uses openssh with google-authenticator as 2-Factor Authentication. Only the root user is supported.+
  
  \\  \\
  
-Prerequisite: Install/setup entwareThis is not covered here. <Link?> \\+If this completes without all dependencies, make sure to install any necessary ones.\\
  
- \\ First, install openssh-server and google-authenticator:+ \\  \\
  
-    opkg install openssh-server-pam google-authenticator-libpam+Next, enable openssh-server . This is not covered here.
  
-Hopefully, this will include all dependencies. \\+ \\ \\ Configure the correct settings in configuration file /opt/etc/init.d/S39pre_ssh:
  
  \\  \\
- 
-Next, enable openssh-server . This is not covered here. <Link?> \\  \\ 
- 
-Next, configure the correct settings in configuration file /opt/etc/init.d/S39pre_ssh : \\  \\ 
  
     #!/bin/sh     #!/bin/sh
Line 52: Line 50:
  \\  \\
  
-The new service must be enabled at boot time as well:+The new service must be enabled at boot time as well. Make the following changes to the file: "/opt/etc/ssh/sshd_config:
  
-/opt/etc/ssh/sshd_config (most likely only what's changed from the default)+ \\
  
     Port 2222 # to be changed if desired     Port 2222 # to be changed if desired
Line 65: Line 63:
     HostKey /opt/etc/ssh/ssh_host_rsa_key     HostKey /opt/etc/ssh/ssh_host_rsa_key
     HostKey /opt/etc/ssh/ssh_host_ed25519_key     HostKey /opt/etc/ssh/ssh_host_ed25519_key
 +
 + \\
  
 grep -v "#" /opt/etc/pam.d/sshd grep -v "#" /opt/etc/pam.d/sshd
 +
 + \\
  
     auth required pam_env.so     auth required pam_env.so
Line 87: Line 89:
  
     password include common-password     password include common-password
 +
 + \\
  
  \\  \\
  
 Now, run google-auth setup and follow the steps: Now, run google-auth setup and follow the steps:
 +
 + \\
  
     google-authenticator     google-authenticator
 +
 + \\
  
 Remember to register the TOTP code, or load into an app such as AndOTP. Remember to register the TOTP code, or load into an app such as AndOTP.
Line 98: Line 106:
  \\  \\
  
-Next, move its config file (.google_authenciator) to the /opt/etc directory:+ \\ 
 + 
 +Next, move its config file (.google_authenticator) to the /opt/etc directory: 
 + 
 + \\
  
     mv .google_authenticator /opt/etc/     mv .google_authenticator /opt/etc/
Line 104: Line 116:
  \\  \\
  
-Next, Verify the permissions on the file are 0600 . This is very important.+Next, Verify the permissions on the file are "0600. This is very important. 
 + 
 + \\
  
     chmod 0600 /opt/etc/.google_authenticator     chmod 0600 /opt/etc/.google_authenticator
Line 111: Line 125:
  
 Now, you should be able to start the sshd service: Now, you should be able to start the sshd service:
 +
 + \\
  
     /opt/etc/init.d/S40sshd start     /opt/etc/init.d/S40sshd start
Line 116: Line 132:
  \\  \\
  
-Next, test it from the LAN side:+ \\ Next, test the configuration from the LAN side by typing the following at the command prompt:
  
-    ssh -p 2222 root@<lan-ip-of-tomato-router>+ \\
  
-You should see the following output:+    ssh -p 2222 root@<lan-ip-of-freshtomato-router> 
 + 
 + \\ 
 + 
 +You should see the following: 
 + 
 + \\
  
     The authenticity of host '[192.168.1.1]:2222 ([192.168.1.1]:2222)' can't be established.     The authenticity of host '[192.168.1.1]:2222 ([192.168.1.1]:2222)' can't be established.
Line 129: Line 151:
  \\  \\
  
-Now, you should see the following:+After typing Yes, you should see the following: 
 + 
 + \\
  
     Keyboard-interactive authentication prompts from server:     Keyboard-interactive authentication prompts from server:
     | Verification code:     | Verification code:
  
-If you see this, it means that only 2FA authentication is operating. + \\ If you see this, it means that 2FA is the only authentication operating. You can now expose port 2222 (or the port you configured) to the Internet.
- +
- \\ +
- +
-You can now expose port 2222 (or the port you configured) to the Internet (not covered here).+
  
  \\  \\
2fa.1714756880.txt.gz · Last modified: 2024/05/03 18:21 by hogwild

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki