Hi, I have recently installed OpenWrt on my 3200 ACM router. However after performing all the necessary steps listed in the forum. I am still able to access my router without 2FA. Was wondering if anyone would let me know what step I have missed out.
Thanks & Regards,
MW
2FA is not a default thing on OpenWrt. Did you install any packages to try to set that up? If so, what did you install and what steps did you take to configure 2FA?
Hi psherman,
I followed the steps shared on the forum. https://openwrt.org/docs/guide-user/services/ssh/ssh.mfa.auth
So you mean that you are trying to use the google-authenticator package?
Hi Hnyman,
Absolutely correct
Config should be provided as "/root/.google_authenticator" and is not persistent across reboots. I might be able to post my scripts tomorrow
To be clear, this only secures ssh. The LuCI web interface is not changed.
And there is also a parameter for skipping 2FA if the connection originates from the lan. Make sure that is set properly.
I agree but my SSH is still not asking for 2FA, I have changed the parameter inside /etc/pam.d/sshd so that even on LAN connection it should ask 2FA
sure please do
alright here is my /etc/pam.d/sshd files
# PAM configuration for the Secure Shell service
# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
auth required pam_env.so
# Skip Google Authenticator if logging in from the local network.
# auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access- sshd-local.conf
# Google Authenticator 2-step verification.
#auth required pam_google_authenticator.so
auth required /usr/lib/security/pam_google_authenticator.so nullok
# Standard Un*x authentication.
auth include common-auth
# Disallow non-root logins when /etc/nologin exists.
account required pam_nologin.so
# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
# account required pam_access.so
# Standard Un*x authorization.
account include common-account
# Standard Un*x session setup and teardown.
session include common-session
# Print the message of the day upon successful login.
session optional pam_motd.so
# Print the status of the user's mailbox upon successful login.
session optional pam_mail.so standard noenv
# Set up user limits from /etc/security/limits.conf.
session required pam_limits.so
# Set up SELinux capabilities (need modified pam)
# session required pam_selinux.so multiple
# Standard Un*x password updating.
password include common-password
#auth required pam_google_authenticator.so nullok
after generating .google_authenticator file I've moved it to /etc/config/google_authenticator then t've added to /etc/rc.local
# Put your custom commands here that should be executed once
# the system init finished. By default this file does nothing.
cp /etc/config/google_authenticator /tmp
ln -s /tmp/google_authenticator /root/.google_authenticator
exit 0
my /etc/ssh/sshd_config
Port 2000
# ^ change this according to your needs
#UsePrivilegeSeparation no
UsePAM yes
PermitRootLogin yes
ChallengeResponseAuthentication yes
PasswordAuthentication no
Subsystem sftp /usr/libexec/sftp-server
AuthorizedKeysFile /etc/dropbear/authorized_keys
I'd guess that should cover it - for me it worked
Thanks Maurer will check the same & let you know.