----------------------------------------
       How I enabled Two-factor authentication (2FA) on Alpine Linux sshd
       March 16th, 2021
       ----------------------------------------
       
 (HTM) I noticed that the "Two Factors [sic] Authentication With OpenSSH"
       entry on the Alpine Linux wiki seems to actually only enable one factor
       authentication, namely google authenticator... (or pubkey)
       
       That's great and all, but I really like my old school password, and I
       do like 2FA, so here's what I did to get OpenSSH to ask for both
       google-authenticator code and password:
       
       
       First off, install the google authenticator package, and the PAM-
       enabled version of OpenSSH (no need to uninstall the old version)
       On alpine this is done with:
       apk add google-authenticator openssh-server-pam
       
       Now edit your /etc/ssh/sshd_config file, there are four directives
       which need to be altered:
       PasswordAuthentication no
       AuthenticationMethods keyboard-interactive
       ChallengeResponseAuthentication yes
       UsePAM yes
       
 (HTM) Please read up on the AuthenticationMethods directive if you want to
       use public key authentication
       
       Now you will need to edit/create the /etc/pam.d/sshd file, which does
       not exist by default on Alpine, it needs the following six lines (yes
       one is empty):
       account     include      base-account
       
       auth        required     pam_env.so
       auth        required     pam_nologin.so     successok
       auth        required     /lib/security/pam_google_authenticator.so
       auth        required     pam_unix.so        md5 sha512
       
       Now, you will want to run google-authenticator on every account on
       your system which you'd like to allow ssh access to.
       For the first two questions that google-authenticator asks, you'll
       want to respond with yes. For the remaining questions, respond with
       your personal preference.
       
       Finally you will want to run "service sshd reload" to apply the
       changes... If you are logged into your system remotely, make damn sure
       that the command succeeds, and also open an additional terminal (don't
       close the one you're currently using) and attempt an additional login
       to your system. Both the google authenticator PAM module and OpenSSH
       log to /var/log/messages on Alpine, and troubleshooting them is not
       very difficult typically.
       
       I hope someone else finds this useful.  Good luck!
       
       p.s. The google authenticator PAM module supports some cool options
 (HTM) check them out on github for more information!
       ----------------------------------------
 (DIR) Back to phlog index
 (DIR) gopher.zcrayfish.soy gopher root
       This phlog entry has been read 1535 times.
       Future direct comment submission has been disabled for this phlog entry.
       Comments are still accepted by email, please send to:
       zacharygopher@gopher.zcrayfish.soy
       Be sure to include the post title in the subject line! Thanks!
       Nobody has commented on this post.