This content was taken from the following forum thread:
https://www.linksysinfo.org/index.php?threads/howto-set-up-2fa-openssh-with-google-authenticator.78183/#post-345032

These are simple configuration notes and thus not intended to be a complete HOWTO.

This setup uses openssh with google-authenticator as 2-Factor Authentication. Only the root user is supported.

Prerequisite: Install/setup entware if it's not already installed. This is not covered here. <Link?>

Next, install openssh-server and google-authenticator:

  opkg install openssh-server-pam google-authenticator-libpam

Hopefully, this will include all dependencies.

Next, enable openssh-server . This is not covered here. <Link?>

Next, configure the correct settings in configuration file /opt/etc/init.d/S39pre_ssh :

  #!/bin/sh

  ENABLED=yes
  prefix="/opt"
  PATH=${prefix}/bin:${prefix}/sbin:/sbin:/bin:/usr/sbin:/usr/bin

  start() {
  mkdir -p /var/empty
  chmod 755 /var/empty
  cp /opt/etc/.google_authenticator /root/.google_authenticator
  cp /opt/etc/environment /etc/environment
  }

  case "$1" in
  start)
  start
  ;;
  *)
  echo "Usage: $0 (start)"
  exit 1
  ;;
  esac

  exit 0

The new service must be enabled at boot time as well:

Next, run /opt/etc/ssh/sshd_config and change the following from the defaults:

  Port 2222 # to be changed if desired
  UsePAM yes
  PermitRootLogin yes
  ChallengeResponseAuthentication yes
  PasswordAuthentication no
  Subsystem sftp /opt/lib/sftp-server
  AuthorizedKeysFile .ssh/authorized_keys
  HostKey /opt/etc/ssh/ssh_host_rsa_key
  HostKey /opt/etc/ssh/ssh_host_ed25519_key

grep -v “#” /opt/etc/pam.d/sshd

  auth required pam_env.so

  auth required pam_google_authenticator.so

  auth include common-auth

  account required pam_nologin.so

  account include common-account

  session include common-session

  session optional pam_motd.so

  session optional pam_mail.so standard noenv

  session required pam_limits.so

  password include common-password

Now, run google-auth setup and follow the steps:

  google-authenticator

Remember to register the TOTP code, or load into an app such as AndOTP.

Next, move its config file (.google_authenticator) to the /opt/etc directory:

  mv .google_authenticator /opt/etc/

Next, Verify the permissions on the file are 0600 . This is very important.

  chmod 0600 /opt/etc/.google_authenticator

Now, you should be able to start the sshd service:

  /opt/etc/init.d/S40sshd start

Next, test the configuration from the LAN side by typing the following at the command prompt:

  ssh -p 2222 root@<lan-ip-of-freshtomato-router>

You should see the following:

  The authenticity of host '[192.168.1.1]:2222 ([192.168.1.1]:2222)' can't be established.
  ED25519 key fingerprint is SHA256:<sha256-here>.
  This key is not known by any other names.
  Are you sure you want to continue connecting (yes/no/[fingerprint])? yes

After typing Yes, you should see the following:

  Keyboard-interactive authentication prompts from server:
  | Verification code:

If you see this, it means that 2FA is the only authentication operating.

You can now expose port 2222 (or the port you configured) to the Internet (not covered here).

PS - /opt/etc/environment is the default - only comments - so nothing to change - maybe a “touch /etc/environment” should have been enough