Two-Factor Authentication on Raspberry Pi
May 28 2020
I came across an article today on how to set up Two-Factor Authentication (2FA) login on a Raspberry Pi. This is especially useful if you are using SSH connecting to your Raspberry Pi and/or using it as a server. This extra layer of security should make your Pi safer when it is accessible from the internet. Please refer to the source article for detailed instructions.
Source: Setting up two-factor authentication on your Raspberry Pi
In summary, the steps:
- Update the OS:
$ sudo apt-get update
$ sudo apt-get full-upgrade - Enable SSH:
$ sudo systemctl enable ssh
$ sudo systemctl start ssh - Enable challenge-response by changing ChallengeResponseAuthentication to yes:
$ sudo nano /etc/ssh/sshd_config - Restart SSH daemon:
$ sudo systemctl restart ssh - Install 2FA app in your phone like Google Authenticator or Authy
- Install Google Authenticator PAM module:
$ sudo apt install libpam-google-authenticator - Configure 2FA:
Make the terminal wider for QR code generation, then run without using sudo:$ google-authenticator- Add / Scan QR code with your 2FA app on phone
- "Y" to let Google Authenticatorto update .google_authenticator file
- "Y" to disallow multiple uses of same authentication token
- "N" to increasing the time skew window
- "Y" to rate limiting in order to protect against brute-force attacks
- Enabling 2FA by adding auth required pam_google_authenticator.so above or below @include common-auth (aka the password prompt):
$ sudo nano /etc/pam.d/sshd - Restart SSH daemon:
$ sudo systemctl restart ssh - Test your 2FA SSH connection
Footnote: I have yet to make 2FA works with the SFTP. If it is essential for you, the workaround would be temporarily comment out (#) the auth required pam_google_authenticator.so line in the /etc/pam.d/sshd file (remember to restart SSH daemon) whenever you need to connect SFTP and then re-enable 2FA again afterwards.