FreshTomato Wiki

User Tools

Site Tools

Trace: 2fa

Sidebar

freshtomato.org

Wiki

▸ About

▸ Releases

▸ Hardware compatibility

▸ 3G/4G/5G compatibility

▸ Feature matrix

▸ Documentation

▸ HOWTOs

▸ FAQ

Forum

AX

Download

Changelog

Development

Bug track

ARM

Download

Changelog

Development

Bug track

MIPS

Download

Changelog

Development

Bug track


TomatoAnon

Style Guidelines

✔️ Help (WikiText Syntax)

🧑‍🤝‍🧑 Credits

💰 Donations

2fa

This is an old revision of the document!

Setting up 2FA for SSH using GoogleAuthenticator

[FIXME] - Currently just a drop from the thread where this was posted: https://www.linksysinfo.org/index.php?threads/howto-set-up-2fa-openssh-with-google-authenticator.78183/#post-345032

for openssh with google-authenticator as 2FA (root user only)

so this is not a full how-to just my overly simplified notes and configs

the prerequisites : - setup entware (not covered here) 

  opkg install openssh-server-pam google-authenticator-libpam

(hopefully this should cover all the dependencies) - enable openssh server (not covered here)

now the configs:

/opt/etc/init.d/S39pre_ssh 

  #!/bin/sh
  ENABLED=yes
  prefix="/opt"
  PATH=${prefix}/bin:${prefix}/sbin:/sbin:/bin:/usr/sbin:/usr/bin
  start() {
  mkdir -p /var/empty
  chmod 755 /var/empty
  cp /opt/etc/.google_authenticator /root/.google_authenticator
  cp /opt/etc/environment /etc/environment
  }
  case "$1" in
  start)
  start
  ;;
  *)
  echo "Usage: $0 (start)"
  exit 1
  ;;
  esac
  exit 0

this new service needs to be enabled at boot-time as well

/opt/etc/ssh/sshd_config (only what's changed from the default - I believe) 

  Port 2222 # to be changed if desired
  UsePAM yes
  PermitRootLogin yes
  ChallengeResponseAuthentication yes
  PasswordAuthentication no
  Subsystem sftp /opt/lib/sftp-server
  AuthorizedKeysFile .ssh/authorized_keys
  HostKey /opt/etc/ssh/ssh_host_rsa_key
  HostKey /opt/etc/ssh/ssh_host_ed25519_key

grep -v “#” /opt/etc/pam.d/sshd 

  auth required pam_env.so
  auth required pam_google_authenticator.so
  auth include common-auth
  account required pam_nologin.so
  account include common-account
  session include common-session
  session optional pam_motd.so
  session optional pam_mail.so standard noenv
  session required pam_limits.so
  password include common-password

now run the google-auth setup and it will guide you on the steps: 

  google-authenticator

make sure you register the TOTP code or load into an app like AndOTP now it's time to move its config file to /opt/etc 

  mv .google_authenticator /opt/etc/

make sure the permission of the file are 0600 (very important) 

  chmod 0600 /opt/etc/.google_authenticator

now if memory serves me well you can start the sshd service: 

  /opt/etc/init.d/S40sshd start

and test it from the LAN side: 

  ssh -p 2222 root@<lan-ip-of-tomato-router>

and you should be greeted by: 

  The authenticity of host '[192.168.1.1]:2222 ([192.168.1.1]:2222)' can't be established.
  ED25519 key fingerprint is SHA256:<sha256-here>.
  This key is not known by any other names.
  Are you sure you want to continue connecting (yes/no/[fingerprint])? yes

and now the most important part 

  Keyboard-interactive authentication prompts from server:
  | Verification code:

that means that only 2FA authentication is working

you can how expose port 2222 (or the one you configured) to the internet (not covered here)

@Moderators - please edit/move this post as needed

PS - /opt/etc/environment is the default - only comments - so nothing to change - maybe a “touch /etc/environment” should have been enough

2fa.1694681281.txt.gz · Last modified: 2023/09/14 09:48 by rs232

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki