Hi, I have recently installed OpenWrt on my 3200 ACM router. However after performing all the necessary steps listed in the forum. I am still able to access my router without 2FA. Was wondering if anyone would let me know what step I have missed out.
2FA is not a default thing on OpenWrt. Did you install any packages to try to set that up? If so, what did you install and what steps did you take to configure 2FA?
# PAM configuration for the Secure Shell service
# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
auth required pam_env.so
# Skip Google Authenticator if logging in from the local network.
# auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access- sshd-local.conf
# Google Authenticator 2-step verification.
#auth required pam_google_authenticator.so
auth required /usr/lib/security/pam_google_authenticator.so nullok
# Standard Un*x authentication.
auth include common-auth
# Disallow non-root logins when /etc/nologin exists.
account required pam_nologin.so
# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
# account required pam_access.so
# Standard Un*x authorization.
account include common-account
# Standard Un*x session setup and teardown.
session include common-session
# Print the message of the day upon successful login.
session optional pam_motd.so
# Print the status of the user's mailbox upon successful login.
session optional pam_mail.so standard noenv
# Set up user limits from /etc/security/limits.conf.
session required pam_limits.so
# Set up SELinux capabilities (need modified pam)
# session required pam_selinux.so multiple
# Standard Un*x password updating.
password include common-password
#auth required pam_google_authenticator.so nullok
after generating .google_authenticator file I've moved it to /etc/config/google_authenticator then t've added to /etc/rc.local
# Put your custom commands here that should be executed once
# the system init finished. By default this file does nothing.
cp /etc/config/google_authenticator /tmp
ln -s /tmp/google_authenticator /root/.google_authenticator
exit 0
my /etc/ssh/sshd_config
Port 2000
# ^ change this according to your needs
#UsePrivilegeSeparation no
UsePAM yes
PermitRootLogin yes
ChallengeResponseAuthentication yes
PasswordAuthentication no
Subsystem sftp /usr/libexec/sftp-server
AuthorizedKeysFile /etc/dropbear/authorized_keys