2.3 Two-factor authentication (TFA)

For super-safety, require two-factor or two-step authentication when SSH'ing. The Google Authenticator app can be used for this.

Synchronize watches

For TFA to work, the system clock of your Pi should have accurate time and timezone. Type date to check if the time and timezone are correct. If the timezone is correct but the time is not, you can force the ntp-daemon (the process that syncs the clock with the internet) to refresh:

sudo /etc/init.d/ntp restart

If date displays the wrong timezone, fix it like this: first, get a list of available timezones:

ls -l /usr/share/zoneinfo

Backup your current timezone settings:

mv /etc/localtime /etc/localtime-old

And create a link to the new timezone of your chosing:

ln -sf /usr/share/zoneinfo/Europe/Amsterdam /etc/localtime

Google authenticator

The easy install is this:

sudo apt-get install libpam-google-authenticator

However, this is an old version that does not support (i) SSH'ing for users who do not have TFA configured and (ii) disabling TFA when SSH'ing from LAN or specific ip. To get a more recent version, follow the following steps (from here). I haven't checked this myself (I'm using the old version), but here's a quote from the linked website:

"When using a Debian-like OS, you can install it with a one-liner:

  apt-get install libpam-google-authenticator

But note the packaged version is old and does not support all documented options. Below I talk about the ‘nullok’ option, but that is not supported in the packaged version. You then see this error:

  sshd(pam_google_authenticator)[884]: Unrecognized option "nullok"
  sshd(pam_google_authenticator)[887]: Failed to read "/home/pi/.google_authenticator"

That’s why I suggest building from source, as this can be done quickly:

  apt-get remove libpam-google-authenticator
  apt-get install libpam0g-dev libqrencode3
  cd ~
  wget https://google-authenticator.googlecode.com/files/libpam-google-authenticator-1.0-source.tar.bz2
  tar jvxf libpam-google-authenticator-1.0-source.tar.bz2
  cd libpam-google-authenticator-1.0/
  make install

Next, set-up TFA for your account (probably 'pi').


Scan the barcode, follow the steps, then edit the following file:

sudo nano /etc/ssh/sshd_config

and make sure ChallengeResponseAuthentication is set to yes.

Edit /etc/pam.d/sshd too, and add this at the very top:

# to skip 2-factor on LAN, enable this and create the file (see below)
# auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-local.conf
auth required pam_google_authenticator.so
# or, to allow users who haven't setup 2-step auth, add nullok at the end:
# auth required pam_google_authenticator.so nullok

Aaaand refresh:

sudo /etc/init.d/ssh restart

Logout, login and have fun. If it doesn't ask for a code but keeps saying 'password denied', then you didn't do that last refresh.

Disable TFA on LAN (more info)

Before this works, make sure you did the 'complicated' install described earlier (easy install through apt-get installs a version that is too old).

To skip 2-step from LAN sessions, create the file mentioned above:

sudo nano /etc/security/access-local.conf

And put this in it:

# Two-factor can be skipped on local network
 + : ALL :
 + : ALL : LOCAL
 - : ALL : ALL

results matching ""

    No results matching ""