----------------------------------------
How I enabled Two-factor authentication (2FA) on Alpine Linux sshd
March 16th, 2021
----------------------------------------

=> I noticed that the "Two Factors [sic] Authentication With OpenSSH"

entry on the Alpine Linux wiki seems to actually only enable one factor
authentication, namely google authenticator... (or pubkey)

That's great and all, but I really like my old school password, and I
do like 2FA, so here's what I did to get OpenSSH to ask for both
google-authenticator code and password:


First off, install the google authenticator package, and the PAM-
enabled version of OpenSSH (no need to uninstall the old version)
On alpine this is done with:
apk add google-authenticator openssh-server-pam

Now edit your /etc/ssh/sshd_config file, there are four directives
which need to be altered:
PasswordAuthentication no
AuthenticationMethods keyboard-interactive
ChallengeResponseAuthentication yes
UsePAM yes

=> Please read up on the AuthenticationMethods directive if you want to

use public key authentication

Now you will need to edit/create the /etc/pam.d/sshd file, which does
not exist by default on Alpine, it needs the following six lines (yes
one is empty):
account     include      base-account

auth        required     pam_env.so
auth        required     pam_nologin.so     successok
auth        required     /lib/security/pam_google_authenticator.so
auth        required     pam_unix.so        md5 sha512

Now, you will want to run google-authenticator on every account on
your system which you'd like to allow ssh access to.
For the first two questions that google-authenticator asks, you'll
want to respond with yes. For the remaining questions, respond with
your personal preference.

Finally you will want to run "service sshd reload" to apply the
changes... If you are logged into your system remotely, make damn sure
that the command succeeds, and also open an additional terminal (don't
close the one you're currently using) and attempt an additional login
to your system. Both the google authenticator PAM module and OpenSSH
log to /var/log/messages on Alpine, and troubleshooting them is not
very difficult typically.

I hope someone else finds this useful.  Good luck!

p.s. The google authenticator PAM module supports some cool options

=> check them out on github for more information!

----------------------------------------

=> Back to phlog index | gopher.zcrayfish.soy gopher root

This phlog entry has been read 1942 times.
Future direct comment submission has been disabled for this phlog entry.
Comments are still accepted by email, please send to:
zacharygopher@gopher.zcrayfish.soy
Be sure to include the post title in the subject line! Thanks!
Nobody has commented on this post.