 |
---------------------------------------- |
|
How I enabled Two-factor authentication (2FA) on Alpine Linux sshd |
|
March 16th, 2021 |
|
---------------------------------------- |
|
|
 |
I noticed that the "Two Factors [sic] Authentication With OpenSSH" |
|
entry on the Alpine Linux wiki seems to actually only enable one factor |
|
authentication, namely google authenticator... (or pubkey) |
|
|
|
That's great and all, but I really like my old school password, and I |
|
do like 2FA, so here's what I did to get OpenSSH to ask for both |
|
google-authenticator code and password: |
|
|
|
|
|
First off, install the google authenticator package, and the PAM- |
|
enabled version of OpenSSH (no need to uninstall the old version) |
|
On alpine this is done with: |
|
apk add google-authenticator openssh-server-pam |
|
|
|
Now edit your /etc/ssh/sshd_config file, there are four directives |
|
which need to be altered: |
|
PasswordAuthentication no |
|
AuthenticationMethods keyboard-interactive |
|
ChallengeResponseAuthentication yes |
|
UsePAM yes |
|
|
|
Please read up on the AuthenticationMethods directive if you want to |
|
use public key authentication |
|
|
|
Now you will need to edit/create the /etc/pam.d/sshd file, which does |
|
not exist by default on Alpine, it needs the following six lines (yes |
|
one is empty): |
|
account include base-account |
|
|
|
auth required pam_env.so |
|
auth required pam_nologin.so successok |
|
auth required /lib/security/pam_google_authenticator.so |
|
auth required pam_unix.so md5 sha512 |
|
|
|
Now, you will want to run google-authenticator on every account on |
|
your system which you'd like to allow ssh access to. |
|
For the first two questions that google-authenticator asks, you'll |
|
want to respond with yes. For the remaining questions, respond with |
|
your personal preference. |
|
|
|
Finally you will want to run "service sshd reload" to apply the |
|
changes... If you are logged into your system remotely, make damn sure |
|
that the command succeeds, and also open an additional terminal (don't |
|
close the one you're currently using) and attempt an additional login |
|
to your system. Both the google authenticator PAM module and OpenSSH |
|
log to /var/log/messages on Alpine, and troubleshooting them is not |
|
very difficult typically. |
|
|
|
I hope someone else finds this useful. Good luck! |
|
|
|
p.s. The google authenticator PAM module supports some cool options |
|
check them out on github for more information! |
|
---------------------------------------- |
 |
Back to phlog index |
|
gopher.zcrayfish.soy gopher root |
|
This phlog entry has been read 2275 times. |
|
Future direct comment submission has been disabled for this phlog entry. |
|
Comments are still accepted by email, please send to: |
|
[email protected] |
|
Be sure to include the post title in the subject line! Thanks! |
|
Nobody has commented on this post. |
