MFA on Openwrt SSH & LuCi


#1

I'm curious if there are plans to add MultiFactor Authentication to LuCi like Google Authenticator and if it's already possible to do multifactor authentication when SSHing to openwrt router.

Thanks


Installing Google Authenticator for SSH, OpenConnect, OpenVPN?
#2

I would be surprised if dropbear can support MFA, but there are several articles on how to configure OpenSSH for MFA. As one example

Edit:

Running nginx (which is now a "LuCI option" on at least master) instead of uhttpd would probably be the first step to MFA for LuCI. There might be some good tidbits at


#3

Aside from handing over the keys to the castle to one of the big cloud providers sounds like a terrible idea to me personally, you do need to consider that you need to have access to your router most, whenever the internet is not accessible, so relying on any remote service for authentification of local devices is not a good choice (that also applies to basic commodities as heating, light, locks, etc.).


#4

https://openwrt.org/docs/guide-user/services/vpn/start


#5

Google Authenticator is simply one implementation of a common two factor authentication algorithm. It does not require the internet nor Google. It happens completely offline on the device doing the authentication (the router in this case) and the device generating the one-time-use keys (the phone).


#6

Problem is that one time token solutions also require exact system time which - in case the router has neither connectivity, nor RTC, nor GPS - is not available either.


#7

What would technically work (but you'd still have to invest a lot of work to implement it), would be either requiring to press a button (e.g. the largely unused WPS button) or USB based smartcard (rfid/ nfc --> libccid/ pcscd) readers or fingerprint readers (--> fprintd), just be aware that there's probably (almost) no infrastructure in place for that (there just is no full fledged PAM setup in place).