Google 2FA not working

Hi, I have recently installed OpenWrt on my 3200 ACM router. However after performing all the necessary steps listed in the forum. I am still able to access my router without 2FA. Was wondering if anyone would let me know what step I have missed out.

Thanks & Regards,


2FA is not a default thing on OpenWrt. Did you install any packages to try to set that up? If so, what did you install and what steps did you take to configure 2FA?


Hi psherman,

I followed the steps shared on the forum.

So you mean that you are trying to use the google-authenticator package?

Hi Hnyman,

Absolutely correct

Config should be provided as "/root/.google_authenticator" and is not persistent across reboots. I might be able to post my scripts tomorrow

To be clear, this only secures ssh. The LuCI web interface is not changed.

And there is also a parameter for skipping 2FA if the connection originates from the lan. Make sure that is set properly.

I agree but my SSH is still not asking for 2FA, I have changed the parameter inside /etc/pam.d/sshd so that even on LAN connection it should ask 2FA

sure please do

alright here is my /etc/pam.d/sshd files

# PAM configuration for the Secure Shell service

# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
auth       required

# Skip Google Authenticator if logging in from the local network.
# auth [success=1 default=ignore] accessfile=/etc/security/access-                                sshd-local.conf
# Google Authenticator 2-step verification.
#auth       required
auth       required    /usr/lib/security/ nullok

# Standard Un*x authentication.
auth       include      common-auth

# Disallow non-root logins when /etc/nologin exists.
account    required

# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
# account    required

# Standard Un*x authorization.
account    include      common-account

# Standard Un*x session setup and teardown.
session    include      common-session

# Print the message of the day upon successful login.
session    optional

# Print the status of the user's mailbox upon successful login.
session    optional standard noenv

# Set up user limits from /etc/security/limits.conf.
session    required

# Set up SELinux capabilities (need modified pam)
# session    required multiple

# Standard Un*x password updating.
password   include      common-password
#auth required nullok

after generating .google_authenticator file I've moved it to /etc/config/google_authenticator then t've added to /etc/rc.local

# Put your custom commands here that should be executed once
# the system init finished. By default this file does nothing.
cp /etc/config/google_authenticator /tmp
ln -s /tmp/google_authenticator /root/.google_authenticator
exit 0

my /etc/ssh/sshd_config

Port 2000
# ^ change this according to your needs
#UsePrivilegeSeparation no
UsePAM yes
PermitRootLogin yes
ChallengeResponseAuthentication yes
PasswordAuthentication no
Subsystem sftp /usr/libexec/sftp-server
AuthorizedKeysFile     /etc/dropbear/authorized_keys

I'd guess that should cover it - for me it worked

Thanks Maurer will check the same & let you know.