![]() # PAM configuration for the Secure Shell service Here is a working version of /etc/pam.d/sshd: However, at least in OpenWrt 19.07, pam.d tries to load this plugin from /lib/security and that fails, because the current google-authenticator-libpam package installs pam_google_authenticator.so into /usr/lib/security. They were suggested using “auth required pam_google_authenticator.so”. NOTE: The above two lines are very important and a difference from all the guides I've linked above. # Example of overriding settings on a per-user basisĮdit /etc/pam.d/sshd (with nano /etc/pam.d/sshd) to make these changes: #auth include common-auth (must be commented out) auth required /usr/lib/security/pam_google_authenticator.so (append at the very end of the file) # and ChallengeResponseAuthentication to 'no'. # PAM authentication, then enable this but set PasswordAuthentication # If you just want the PAM account and session checks to run without # the setting of "PermitRootLogin without-password". # PAM authentication via ChallengeResponseAuthentication may bypass # be allowed through the ChallengeResponseAuthentication and If this is enabled, PAM authentication will # Set this to 'yes' to enable PAM authentication, account processing, # Change to no to disable s/key passwords # To disable tunneled clear text passwords, change to no here! # Don't read the user's ~/.rhosts and ~/.shosts files # Change to yes if you don't trust ~/.ssh/known_hosts for # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts # but this is overridden so installations will only check. # OpenSSH is to specify options with their default value where # The strategy used for options in the default sshd_config shipped with # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin # This is the sshd server system-wide configuration file. Here is a working version of /etc/ssh/sshd_config: You can use Google Authenticator, Microsoft Authenticator or any other MFA app that implements the standard Time-based One-time Password Algorithm (TOTP - RFC 6238).Įdit /etc/ssh/sshd_config (with nano /etc/ssh/sshd_config) to make these scattered changes:ĪuthenticationMethods publickey,keyboard-interactive Follow this guide precisely, starting from “ Run the initialization app” and stopping at “ Step 2 - Configuring OpenSSH”. Ssh google-authenticator (in the open Dropbear session) and enroll in MFA. Restart the OpenSSH service (service sshd restart from the stil-open Dropbear session of step 2) and test that you can connect to OpenSSH as root on port 22, from some other host: This is no different from a typical non-MFA scenario, I've just followed this excellent guide. Set up OpenSSH public/private key authentication. Opkg install google-authenticator-libpam openssh-server-pam Log into the router using Dropbear and install the openssh-server-pam and google-authenticator-libpam packages: If anything goes wrong with OpenSSH, you still should be able to log in from your local network using Dropbear: ![]() Note: It is highly Recommended to add new Key ID for root user as well and enable OATH TFA for PAM realm as well.In this tutorial the router IP is the default 192.168.1.1.Ĭonfigure OpenWrt's built-in Dropbear SSH to work on LAN only and away from port 22 (e.g., 20022). Don't logout yet, open another browser to test it first. ![]() # Finally, once the Key ID added to the user in Question, added to your Phone Starling 2FA, go to Permissions > Authentication > select pve realm > edit and enable OATH TFA method, select the check box where it says Default, and press Okay to save. Besides, all 2FA accounts are encrypted using my password. Since they all synced to the cloud no worries to lose the phone. I once forgot my phone and I was able to access my accounts from my iPad. I've been using it for years and it's so good. Starling 2FA available across iPhone and Android and you can use it instead of GAuth across all your internet accounts if they do provide MFA. I highly recommend you use "Starling 2FA" App on your phone instead of Google Authenticator, since you can backup 2FA accounts to the cloud and access them on multiple devices which is not possible with Google Authenticator. There is no bar to scan, you need to add the generated key manually # Pick your Smart Phone, download Startling 2FA # At the GUI User Management Add this Key ID to user in questionĮdit the user and add the Key ID in the Key IDs field # Type Oath Key Generator command to create random Key ID
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |