====== Setting up 2FA for SSH using Google Authenticator ======

This content was taken from the following forum thread: \\ [[https://www.linksysinfo.org/index.php?threads/howto-set-up-2fa-openssh-with-google-authenticator.78183/#post-345032]]

 \\

These are simple configuration notes and thus not intended to be a complete HOWTO.

This setup uses openssh with google-authenticator as 2-Factor Authentication. Only the root user is supported.

 \\

Prerequisite: Install/setup entware if it's not already installed. This is not covered here. <Link?> \\

 \\ Next, install openssh-server and google-authenticator:

    opkg install openssh-server-pam google-authenticator-libpam

Hopefully, this will include all dependencies. \\

 \\

Next, enable openssh-server . This is not covered here. <Link?> \\  \\

Next, configure the correct settings in configuration file /opt/etc/init.d/S39pre_ssh : \\  \\

    #!/bin/sh

    ENABLED=yes
    prefix="/opt"
    PATH=${prefix}/bin:${prefix}/sbin:/sbin:/bin:/usr/sbin:/usr/bin

    start() {
    mkdir -p /var/empty
    chmod 755 /var/empty
    cp /opt/etc/.google_authenticator /root/.google_authenticator
    cp /opt/etc/environment /etc/environment
    }

    case "$1" in
    start)
    start
    ;;
    *)
    echo "Usage: $0 (start)"
    exit 1
    ;;
    esac

    exit 0

 \\

The new service must be enabled at boot time as well:

 \\

Next, run /opt/etc/ssh/sshd_config and change the following from the defaults:

    Port 2222 # to be changed if desired
    UsePAM yes
    PermitRootLogin yes
    ChallengeResponseAuthentication yes
    PasswordAuthentication no
    Subsystem sftp /opt/lib/sftp-server
    AuthorizedKeysFile .ssh/authorized_keys
    HostKey /opt/etc/ssh/ssh_host_rsa_key
    HostKey /opt/etc/ssh/ssh_host_ed25519_key

 \\

grep -v "#" /opt/etc/pam.d/sshd

    auth required pam_env.so

    auth required pam_google_authenticator.so

    auth include common-auth

    account required pam_nologin.so

    account include common-account

    session include common-session

    session optional pam_motd.so

    session optional pam_mail.so standard noenv

    session required pam_limits.so

    password include common-password

 \\

Now, run google-auth setup and follow the steps:

    google-authenticator

Remember to register the TOTP code, or load into an app such as AndOTP.

 \\

Next, move its config file (.google_authenticator) to the /opt/etc directory:

    mv .google_authenticator /opt/etc/

 \\

Next, Verify the permissions on the file are 0600 . This is very important.

    chmod 0600 /opt/etc/.google_authenticator

 \\

Now, you should be able to start the sshd service:

    /opt/etc/init.d/S40sshd start

 \\

Next, test the configuration from the LAN side by typing the following at the command prompt:

    ssh -p 2222 root@<lan-ip-of-freshtomato-router>

You should see the following:

    The authenticity of host '[192.168.1.1]:2222 ([192.168.1.1]:2222)' can't be established.
    ED25519 key fingerprint is SHA256:<sha256-here>.
    This key is not known by any other names.
    Are you sure you want to continue connecting (yes/no/[fingerprint])? yes

 \\

After typing Yes, you should see the following:

    Keyboard-interactive authentication prompts from server:
    | Verification code:

If you see this, it means that 2FA is the only authentication operating.

 \\

You can now expose port 2222 (or the port you configured) to the Internet (not covered here).

 \\

 \\

PS - /opt/etc/environment is the default - only comments - so nothing to change - maybe a "touch /etc/environment" should have been enough