Differences

This shows you the differences between two versions of the page.

--- 2fa [2024/10/28 14:49] – -Formatting hogwild
+++ 2fa [2025/08/13 04:51] (current) – -Change to: "The default file location is /opt/etc/environment" hogwild
@@ Line 1: / Line 1: @@
 ====== Setting up 2FA for SSH using Google Authenticator ======
-This content was taken from the following forum thread: [[wp>https://www.linksysinfo.org/index.php?threads/howto-set-up-2fa-openssh-with-google-authenticator.78183/#post-345032|Tomato Forum: HOWTO - Set up 2FA openssh with google authenticator]]
+This content was taken from a Tomato forum thread: [[https://www.linksysinfo.org/index.php?threads/howto-set-up-2fa-openssh-with-google-authenticator.78183/#post-345032|HOWTO - Set up 2FA openssh with google authenticator]] .
-These are simple configuration notes, and not intended to be a complete HOWTO.
+These are simple configuration notes, and not intended to be a complete HOWTO. This setup uses openssh with google-authenticator as 2-Factor Authentication. Only the "root" user is supported.\\   \\   \\ **Prerequisites:** Install/setup entware if it isn't already installed. This is not covered here.\\  \\
-This setup uses openssh with google-authenticator as 2-Factor Authentication. Only the root user is supported.
+Install openssh-server and google-authenticator:
  \\
-Prerequisites: Install/setup entware if it isn't already installed. This is not covered here.\\
+    opkg install openssh-server-pam google-authenticator-libpam
- \\ Next, install openssh-server and google-authenticator:
+ \\
-    opkg install openssh-server-pam google-authenticator-libpam
+If this completes without all dependencies, make sure to install any necessary ones.\\
-Hopefully, this will include all dependencies. If not, make sure to install any dependencies.\\
+ \\  \\
- \\
+Next, enable openssh-server . This is not covered here.
+ \\ \\ Configure the correct settings in configuration file /opt/etc/init.d/S39pre_ssh:
  \\
-Next, enable openssh-server . This is not covered here.\\  \\
-Configure the correct settings in configuration file /opt/etc/init.d/S39pre_ssh: \\
     #!/bin/sh
@@ Line 52: / Line 50: @@
  \\
-The new service must be enabled at boot time as well:
+The new service must be enabled at boot time as well. Make the following changes to the file: "/opt/etc/ssh/sshd_config:
- \\
-Next, run /opt/etc/ssh/sshd_config and change the following from the defaults:
  \\
@@ Line 101: / Line 95: @@
 Now, run google-auth setup and follow the steps:
+ \\
     google-authenticator
@@ Line 113: / Line 109: @@
 Next, move its config file (.google_authenticator) to the /opt/etc directory:
+ \\
     mv .google_authenticator /opt/etc/
@@ Line 119: / Line 117: @@
 Next, Verify the permissions on the file are "0600" . This is very important.
+ \\
     chmod 0600 /opt/etc/.google_authenticator
@@ Line 125: / Line 125: @@
 Now, you should be able to start the sshd service:
+ \\
     /opt/etc/init.d/S40sshd start
@@ Line 131: / Line 133: @@
  \\ Next, test the configuration from the LAN side by typing the following at the command prompt:
+ \\
     ssh -p 2222 root@<lan-ip-of-freshtomato-router>
@@ Line 148: / Line 152: @@
 After typing Yes, you should see the following:
+ \\
     Keyboard-interactive authentication prompts from server:
     | Verification code:
- \\ If you see this, it means that 2FA is the only authentication operating.
+ \\ If you see this, it means that 2FA is the only authentication operating. You can now expose port 2222 (or your configured port) to the Internet. .
  \\
-You can now expose port 2222 (or the port you configured) to the Internet. .
+The default file location is: "/opt/etc/environment"
  \\
  \\
-PS - /opt/etc/environment is the default - only comments - so nothing to change - maybe a "touch /etc/environment" should have been enough

FreshTomato Wiki

User Tools

Site Tools

Differences

Page Tools