Dropbear: two-factor option

aurel · May 24, 2026, 2:43pm

The "Enable two-factor authentication" (-t) option is not available in /etc/config/dropbear. Is there a reason for this? It should be fairly easy to add the corresponding two lines in /etc/init.d/dropbear:

validate_section_dropbear()

TwoFactorAuthentication:bool:0 \

and

dropbear_instance()

[ "${TwoFactorAuthentication}" -eq 1 ] && procd_append_param command -t

frollic · May 24, 2026, 2:44pm

Is it enabled/compiled in ?

aurel · May 24, 2026, 2:45pm

Yes. I tested it.

aurel · May 24, 2026, 3:16pm

We have to be careful though: Options -t (two-factor authentication) and -g (Disable password logins for root) are not flagged as incompatible by dropbear. But the root user will not be able to log in if both are active at she same time.

The options -s (Disable password logins) and -t are incompatible. Dropbear won't start. This can also lead to the user to be locked out on subsequent login attempts.

Hence the options -t, -s and -g in dropbear_instance() will have to be appropriately checked before applying them. We will also have to decide which one has precedence.

lleachii · May 24, 2026, 3:32pm

Those seem like two compelling reasons.

As a long-time follower of the forum, it's highly likely a user would do one of the two things above, and proceed to blame the community that the developers made it possible.

aurel · May 24, 2026, 4:16pm

These lockout risk can be easily avoided by appropriately prioritizing the options in the dropbear_instance() function and updating the documentation page.

For example, if we prioritize two-factor authentication:

if [ ${TwoFactorAuthentication} -eq 1 ]
then
    procd_append_param command -t
else 
   [ ${PasswordAuth} -eq 0 ] && procd_append_param command -s
   [ ${RootPasswordAuth} -eq 0 ] && procd_append_param command -g
fi

Also, presently, the user can already choose the option RootLogin=0 (-w in dropbear) and lock him/herself out.

slh · May 24, 2026, 7:52pm

Coming back to the original question.

Because it doesn't work?
dropbear can't rely on working internet access, correct system time (battery backed RTCs are on almost zero routers) or physical system input (think keyboard), so how do you imagine 2FA to work?

dave14305 · May 24, 2026, 8:26pm

I had also never heard of dropbear having 2FA, but it turns out to be a poor man's 2FA: you simply have to also enter the user's password in addition to having the private key. No thanks.

aurel · May 26, 2026, 10:40am

This is not TOTP FA. It is password + private key as mentioned by dave14305.

aurel · May 26, 2026, 10:48am

OpenSSH server has the option AuthenticationMethods. It is possible to choose "publickey,password" as parameters which does exactly the same as the -t option in dropbear.

Given that the publickey,password option exists in dropbear, I suggest to add a configuration parameter, like TwoFactorAuthorization (to go with the dropbear wording), to dropbear.

If there are no objections to this from the OpenWrt developer community, I am offering to take care of it, including the documentation on the Dropbear configuration page.

_bernd · May 26, 2026, 9:11pm

But please don't mind but if "proper" 2fa/fido2 is needed then why not use full blown openssh instead?