K-Fun Yu Home

Two-Factor Authentication on Raspberry Pi

May 28 2020

I came across an article today on how to set up Two-Factor Authentication (2FA) login on a Raspberry Pi. This is especially useful if you are using SSH connecting to your Raspberry Pi and/or using it as a server. This extra layer of security should make your Pi safer when it is accessible from the internet. Please refer to the source article for detailed instructions.

Source: Setting up two-factor authentication on your Raspberry Pi

In summary, the steps:

  1. Update the OS:
    $ sudo apt-get update
    $ sudo apt-get full-upgrade
  2. Enable SSH:
    $ sudo systemctl enable ssh
    $ sudo systemctl start ssh
  3. Enable challenge-response by changing ChallengeResponseAuthentication to yes:
    $ sudo nano /etc/ssh/sshd_config
  4. Restart SSH daemon:
    $ sudo systemctl restart ssh
  5. Install 2FA app in your phone like Google Authenticator or Authy
  6. Install Google Authenticator PAM module:
    $ sudo apt install libpam-google-authenticator
  7. Configure 2FA:
    Make the terminal wider for QR code generation, then run without using sudo: $ google-authenticator
    • Add / Scan QR code with your 2FA app on phone
    • "Y" to let Google Authenticatorto update .google_authenticator file
    • "Y" to disallow multiple uses of same authentication token
    • "N" to increasing the time skew window
    • "Y" to rate limiting in order to protect against brute-force attacks
  8. Enabling 2FA by adding auth required pam_google_authenticator.so above or below @include common-auth (aka the password prompt):
    $ sudo nano /etc/pam.d/sshd
  9. Restart SSH daemon:
    $ sudo systemctl restart ssh
  10. Test your 2FA SSH connection

Footnote: I have yet to make 2FA works with the SFTP. If it is essential for you, the workaround would be temporarily comment out (#) the auth required pam_google_authenticator.so line in the /etc/pam.d/sshd file (remember to restart SSH daemon) whenever you need to connect SFTP and then re-enable 2FA again afterwards.