====== Setting up 2FA for SSH using Google Authenticator ======
This content was taken from the following forum thread: \\ [[https://www.linksysinfo.org/index.php?threads/howto-set-up-2fa-openssh-with-google-authenticator.78183/#post-345032]]
\\
These are simple configuration notes and thus not intended to be a complete HOWTO.
This setup uses openssh with google-authenticator as 2-Factor Authentication. Only the root user is supported.
\\
Prerequisite: Install/setup entware if it's not already installed. This is not covered here. \\
\\ Next, install openssh-server and google-authenticator:
opkg install openssh-server-pam google-authenticator-libpam
Hopefully, this will include all dependencies. \\
\\
Next, enable openssh-server . This is not covered here. \\ \\
Next, configure the correct settings in configuration file /opt/etc/init.d/S39pre_ssh : \\ \\
#!/bin/sh
ENABLED=yes
prefix="/opt"
PATH=${prefix}/bin:${prefix}/sbin:/sbin:/bin:/usr/sbin:/usr/bin
start() {
mkdir -p /var/empty
chmod 755 /var/empty
cp /opt/etc/.google_authenticator /root/.google_authenticator
cp /opt/etc/environment /etc/environment
}
case "$1" in
start)
start
;;
*)
echo "Usage: $0 (start)"
exit 1
;;
esac
exit 0
\\
The new service must be enabled at boot time as well:
\\
Next, run /opt/etc/ssh/sshd_config and change the following from the defaults:
Port 2222 # to be changed if desired
UsePAM yes
PermitRootLogin yes
ChallengeResponseAuthentication yes
PasswordAuthentication no
Subsystem sftp /opt/lib/sftp-server
AuthorizedKeysFile .ssh/authorized_keys
HostKey /opt/etc/ssh/ssh_host_rsa_key
HostKey /opt/etc/ssh/ssh_host_ed25519_key
\\
grep -v "#" /opt/etc/pam.d/sshd
auth required pam_env.so
auth required pam_google_authenticator.so
auth include common-auth
account required pam_nologin.so
account include common-account
session include common-session
session optional pam_motd.so
session optional pam_mail.so standard noenv
session required pam_limits.so
password include common-password
\\
Now, run google-auth setup and follow the steps:
google-authenticator
Remember to register the TOTP code, or load into an app such as AndOTP.
\\
Next, move its config file (.google_authenticator) to the /opt/etc directory:
mv .google_authenticator /opt/etc/
\\
Next, Verify the permissions on the file are 0600 . This is very important.
chmod 0600 /opt/etc/.google_authenticator
\\
Now, you should be able to start the sshd service:
/opt/etc/init.d/S40sshd start
\\
Next, test the configuration from the LAN side by typing the following at the command prompt:
ssh -p 2222 root@
You should see the following:
The authenticity of host '[192.168.1.1]:2222 ([192.168.1.1]:2222)' can't be established.
ED25519 key fingerprint is SHA256:.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
\\
After typing Yes, you should see the following:
Keyboard-interactive authentication prompts from server:
| Verification code:
If you see this, it means that 2FA is the only authentication operating.
\\
You can now expose port 2222 (or the port you configured) to the Internet (not covered here).
\\
\\
PS - /opt/etc/environment is the default - only comments - so nothing to change - maybe a "touch /etc/environment" should have been enough