This guide will take you through the process of adding two-factor authentification to your Raspberry Pi. Or to a similar linux based system.
Here’s how to step-by-step secure SSH login on your Raspberry Pi with 2FA authentification.
Log in to Raspberry Pi and
Quick update of our Pi:
sudo apt update && sudo apt upgrade
For starters, we need to install the 2FA package which we’ll be using
sudo apt install libpam-google-authenticator
We will face a few questions during the installation process.
Do you want authentication tokens to be time-based? Yes
And run the application:
google-authenticator
Now you see your code and QR code which you need to scan by 2FA mobile application. There are a bunch of mobile applications that you can use for this. Just pick the one you like or trust the most.
I use this 2FA app by Lastpass – it’s named simply “Authenticator”. But you can use apps created by Microsoft, Google, or the one named Authy for example.
Scan this QR code with 2FA mobile aplication of your choosing.
And write the code generated by mobile application into the command promt in your terminal.
Now we see our emergency scratch codes – put them somewhere secret, somewhere safe. They will save your butt if your phone gets lost or damaged.
I repeat, Save them somewhere safe, where you can find them later, if and when needed.
Do I want to update the .google_authenticator file – yes I do
Do I want to disallow multiple uses of the same authentication token? yes I do
The next question is pretty long and self-explanatory – basically, if you have time synchronization issues choose Yes, If you don’t just put in No like me.
The next question is about protecting your rpi login against brute-force attacks – yes we want to enable rate limiting.
Settings for few things:
Edit this file /etc/pam.d/sshd
sudo nano /etc/pam.d/sshd
And comment out this line
#@include common-auth
Scroll to the bottom of the file and add this line
auth required pam_google_authenticator.so
Next thing is to configure SSH deamon
sudo nano /etc/ssh/sshd_config
We need to tell SSH that we will be using for authentication our ssh keys, and we will be putting in codes from 2FA mobile application with our keyboard.
ChallengeResponseAuthentication yes
Add to the end of the file this line:
AuthenticationMethods publickey,keyboard-interactive
Restart the SSH daemon so the changes take effect.
sudo systemctl restart sshd
If you followed my previous tutorials now our login procedure consists of an ssh key safely stored in our computer and a time-based verification code from our mobile app.
So that’s 2-factor authentication for Raspberry Pi’s SSH. Hope it helped!
You should feel at least a little bit safer about your rpi. If you do, please subscribe to my channel.
