====== Setting up 2FA for SSH using Google Authenticator ======

This content was taken from a Tomato forum thread: [[https://www.linksysinfo.org/index.php?threads/howto-set-up-2fa-openssh-with-google-authenticator.78183/#post-345032|HOWTO - Set up 2FA openssh with google authenticator]] .

These are simple configuration notes, and not intended to be a complete HOWTO. This setup uses openssh with google-authenticator as 2-Factor Authentication. Only the "root" user is supported.\\   \\   \\ **Prerequisites:** Install/setup entware if it isn't already installed. This is not covered here.\\  \\

Install openssh-server and google-authenticator:

 \\

    opkg install openssh-server-pam google-authenticator-libpam

 \\

If this completes without all dependencies, make sure to install any necessary ones.\\

 \\  \\

Next, enable openssh-server . This is not covered here.

 \\ \\ Configure the correct settings in configuration file /opt/etc/init.d/S39pre_ssh:

 \\

    #!/bin/sh

    ENABLED=yes
    prefix="/opt"
    PATH=${prefix}/bin:${prefix}/sbin:/sbin:/bin:/usr/sbin:/usr/bin

    start() {
    mkdir -p /var/empty
    chmod 755 /var/empty
    cp /opt/etc/.google_authenticator /root/.google_authenticator
    cp /opt/etc/environment /etc/environment
    }

    case "$1" in
    start)
    start
    ;;
    *)
    echo "Usage: $0 (start)"
    exit 1
    ;;
    esac

    exit 0

 \\

The new service must be enabled at boot time as well. Make the following changes to the file: "/opt/etc/ssh/sshd_config:

 \\

    Port 2222 # to be changed if desired
    UsePAM yes
    PermitRootLogin yes
    ChallengeResponseAuthentication yes
    PasswordAuthentication no
    Subsystem sftp /opt/lib/sftp-server
    AuthorizedKeysFile .ssh/authorized_keys
    HostKey /opt/etc/ssh/ssh_host_rsa_key
    HostKey /opt/etc/ssh/ssh_host_ed25519_key

 \\

grep -v "#" /opt/etc/pam.d/sshd

 \\

    auth required pam_env.so

    auth required pam_google_authenticator.so

    auth include common-auth

    account required pam_nologin.so

    account include common-account

    session include common-session

    session optional pam_motd.so

    session optional pam_mail.so standard noenv

    session required pam_limits.so

    password include common-password

 \\

 \\

Now, run google-auth setup and follow the steps:

 \\

    google-authenticator

 \\

Remember to register the TOTP code, or load into an app such as AndOTP.

 \\

 \\

Next, move its config file (.google_authenticator) to the /opt/etc directory:

 \\

    mv .google_authenticator /opt/etc/

 \\

Next, Verify the permissions on the file are "0600" . This is very important.

 \\

    chmod 0600 /opt/etc/.google_authenticator

 \\

Now, you should be able to start the sshd service:

 \\

    /opt/etc/init.d/S40sshd start

 \\

 \\ Next, test the configuration from the LAN side by typing the following at the command prompt:

 \\

    ssh -p 2222 root@<lan-ip-of-freshtomato-router>

 \\

You should see the following:

 \\

    The authenticity of host '[192.168.1.1]:2222 ([192.168.1.1]:2222)' can't be established.
    ED25519 key fingerprint is SHA256:<sha256-here>.
    This key is not known by any other names.
    Are you sure you want to continue connecting (yes/no/[fingerprint])? yes

 \\

After typing Yes, you should see the following:

 \\

    Keyboard-interactive authentication prompts from server:
    | Verification code:

 \\ If you see this, it means that 2FA is the only authentication operating. You can now expose port 2222 (or the port you configured) to the Internet. .

 \\

 \\

PS - /opt/etc/environment is the default - only comments - so nothing to change - maybe a "touch /etc/environment" should have been enough