How to add 2 factor authentication (2FA) in Raspberry PI OS Lite with Google Authenticator for ssh login
Debian based systems can easily integrate Google Authenticator to enhance security in your ssh login.
This guide will show how to install Google Authenticator to add a second authentication level in your ssh session.
What We Need
As usual, I suggest adding from now to your favourite e-commerce shopping cart all the needed hardware, so that at the end you will be able to evaluate overall costs and decide if continue with the project or remove them from the shopping cart. So, hardware will be only:
- Raspberry PI (including proper power supply or using a smartphone micro usb charger with at least 3A)
- micro SD card (at least 16 GB, at least class 10)
- an Android smartphone
Step-by-Step Procedure
First of all, with your Smartphone install Google Authenticator App from Google Play store.
From Raspberry side, if not still installed, please prepare OS: install Raspberry PI OS Lite in your Raspberry PI.
Make your OS up to date:
sudo apt update sudo apt upgrade
Install Google Authenticator PAM module:
sudo apt install libpam-google-authenticator
Configure SSH to use Google Authenticator PAM module. Edit the following file:
sudo nano /etc/pam.d/sshd
appending this line at the end:
auth required pam_google_authenticator.so
Restart ssh service:
sudo systemctl restart ssh.service
Enable challenge in ssh authentication config. Edit the following file:
sudo nano /etc/ssh/sshd_config
change ChallengeResponseAuthentication from no to yes, so that this part appears like the following:
#Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ChallengeResponseAuthentication yes
Now run google authenticator from terminal by simply typing:
google-authenticator
Before starting to configure, please note that your terminal will show a link on top of a giant QR code:
This link will be used later for Google Authenticator app in order to receive autenthication token. Copy it in safe location, we’ll use it later.
Under the QR code, you will find emergency codes. Keep them in safe location, these codes will be necessary if you loose your smartphone or if it becomes unusable:
Now go down to answer following config questions. Below suggested answers:
- Make tokens “time-base””: y
- Update the .google_authenticator file: y
- Disallow multiple uses: y
- Increase the original generation time limit: n
- Enable rate-limiting: y
Ok, from Raspbian side configuration is complete.
Open the link just saved (the one above giant QR code keep from terminal) in your browser. This will show a page with a QR code:
In your SmartPhone, open Google Authenticator app and tap the button with cross in bottom right side:
then select “Scan a Barcode”. With your camera, please focus on QR code in your browser.
A new token will appear in your screen:
This token will change time by time and you will use it together with your password to login in ssh.
Reboot your Raspberry PI:
sudo reboot
In your new ssh login, you will be asked for:
- User id
- Password (which is your ssh keyboard passowrd)
- Verification code (which is code from Google Autenthicator)
Enjoy!
Excellent post, just added 2 factor codes to SSH access. Using Yubikey Authenticator with a Yubi NFC key.
Had looked at other websites, but above most straightforward explanation and as a raspberry noob very important
Thank you for your feedback, glad it helped!