OpenWrt Forum Archive

Topic: Google Authenticator

The content of this topic has been archived on 30 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Hello everyone,

I've added the necessary patches to enable Google Authenticator with openssh-server.
Compiled packages for the ar71xx are also available on that link.

Enjoy!

Hello DkSoul,

If you are still alive, can you give more details about it? How to configure after installing the packages?

Thanks!

btw, This also works perfectly for VPN access. I am using OpenConnect (ocserv).
The only downside is that you have to compile the ocserv package yourself to include PAM support.

Once installed make sure you select PAM as authentication method in luci.
Create the file ocserv in /etc/pam.d/ and add the following contents;

# PAM configuration for the OpenConnect (ocserv) service

# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
auth       required     pam_env.so

# Skip Google Authenticator if logging in from the local network.
auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-sshd-local.conf
# Google Authenticator 2-step verification.
auth       requisite    pam_google_authenticator.so

# Standard Un*x authentication.
auth       include      common-auth

The link was not working, found the files at the 14.07 release. (until the package is included in the latest release)

p2baron wrote:

This is easy to setup.

I've just succesfully configured it on chaos calmer rc3.

Install openssh-pam via Luci
Download (and install) the google authenticator lib from (without https if needed)

http://downloads.openwrt.org/barrier_br … ar71xx.ipk

Follow these instructions:
https://www.digitalocean.com/community/ … entication

Don't forgot to change the port of dropbear-ssh before starting sshd.

regards, PP

Here is more info on dropbear http://wiki.openwrt.org/doc/uci/dropbear

vi /etc/config/dropbear
use INSERT key to edit, change port to something other than 22 if you like, then ESC and type ":write" and then ":quit"
and to reload the config, use "/etc/init.d/dropbear reload"

Its working for me!

Btw, you can run them together on the same port but not on the same interface.
I'm currently running Dropbear and Openssh together.
Openssh is bound to the wan interface and Dropbear to the lan interface. Both run on port 22. I did this because I've disabled root access on Openssh and it is too much hassle to use su every time I'm at home configuring openwrt.

(Last edited by p2baron on 8 Oct 2015, 15:47)

I can also confirm google authenticator works when installed from BB on CC,

p2baron don't suppose you would want to share those ocserv packages?

Thanks p2baron,

just installing the pam enabled ocserv package from the zip file worked,

OpenConnect with google authenticator verified working from Android(via mobile carrier) and Debian Box(though http proxy). Openssh all good also  :-)

Installed on my 'TP-Link TL-WR842N/ND v1' with 15.05

opkg install --force-downgrade ocserv_0.10.5-2_ar71xx.ipk

The discussion might have continued from here.