How to Set Up Two-Factor Authentication on a Raspberry Pi

A Raspberry Pi sitting on a laptop keyboard.Kiklas / Shutterstock

The Raspberry Pi is everywhere now, which is why it has caught the attention of threat actors and cybercriminals. We will show you how to secure your Pi with two-factor authentication.

The incredible Raspberry Pi

the Raspberry pie is a single board computer. It was launched in the UK in 2012 with the aim of getting children to tinker, create and learn code. The original form factor was a card the size of a credit card, powered by a phone charger.

It provides HDMI output, USB ports, network connectivity and runs Linux. Subsequent additions to the range included even smaller versions designed to be incorporated into products or to function as headless systems. Prices range from $ 5 for the minimalist Pi Zero, at $ 75 for the Pi 4 B / 8 GB.

His success has been incredible; more than 30 million of these small computers have been sold worldwide. Fans have done incredible and inspiring things with them, including a float at the edge of space and back on a balloon.

Unfortunately, once a computer platform is widespread enough, it inevitably attracts the attention of cybercriminals. It’s terrible to think of the number of Pi’s that use the default user account and password. If your Pi is accessible to the public and accessible from the Internet by Protective cover (SSH), it must be secure.

Even if you don’t have precious data or software on your Pi, you should protect it because your Pi is not the real target, it’s just a way to access your network. Once a threat actor has gained a foothold in a network, it pivots to the other devices that really interest it.

Two-factor authentication

Authentication – or access to a system – requires one or more factors. The factors are classified as follows:

Something you know: Like a password or a phrase.
Something you have: Like a cell phone, a physical token, or a dongle.
Something you are: Biometric reading, such as a fingerprint or retinal scan.

Multifactor authentication (MFA) requires a password and one or more items from the other categories. For our example, we will use a password and a cell phone. The cell phone will run a Google authentication application and the Pi will run a Google authentication module.

A mobile phone application is linked to your Pi by scanning a QR code. This transmits certain starting information to your cell phone from the Pi, ensuring that their number generation algorithms produce the same codes simultaneously. Codes are called one-time passwords (TOTP).

When it receives a connection request, your Pi generates a code. You use the authentication application on your phone to see the current code, then your Pi will ask for your password and authentication code. Your password and TOTP must be correct before you can log in.

Pi configuration

If you typically use SSH on your Pi, it’s probably a headless system, so we’ll configure it over an SSH connection.

It is safer to establish two SSH connections: one to perform configuration and testing, and the other to serve as a safety net. That way, if you lock yourself out of your Pi, you will still have the second active SSH connection active. Changing the SSH settings will not affect a connection in progress. You can therefore use the second to cancel the modifications and remedy the situation.

If the worst happens and you are completely locked via SSH, you can still connect your Pi to a monitor, keyboard and mouse, and then connect to a regular session. In other words, you can still connect, as long as your Pi can control a monitor. Otherwise, you really need to keep the SSH connection of the safety net open until you have verified that two-factor authentication works.

The ultimate penalty, of course, is to reflash the operating system on the Pi’s micro SD card, but let’s try to avoid that.

First, we need to establish our two connections to the Pi. The two commands take the following form:

ssh pi@watchdog.local

ssh pi@watchdog.local in a terminal window.

The name of this Pi is “watchdog”, but you will have to type your name instead. If you changed the default username, use it too; ours is “pi”.

Remember, for security reasons, type this command twice in different terminal windows in order to have two connections to your Pi. Then, minimize one of them, so that it is not hampered and is not accidentally closed.

Once connected, you will see the welcome message. The prompt will display the user name (in this case, “pi”) and the name of the Pi (in this case, “watchdog”).

An SSH connection to a Raspberry Pi in a terminal window.

You must edit the “sshd_config” file. We will do this in the nano text editor:

sudo nano / etc / ssh / sshd_config

sudo nano / etc / ssh / sshd_config in a terminal window.

Scroll through the file until you see the following line:

ChallengeResponseAuthentication no

Replace the “no” with “yes”.

Sshd_config file opened in the nano editor with the ChallengeResponseAuthentication line highlighted, in a terminal window.

Press Ctrl + O to save your changes to nano, then press Ctrl + X to close the file. Use the following command to restart the SSH daemon:

sudo systemctl restart ssh

sudo systemctl restart ssh in a terminal window.

You must install the Google authenticator, which is a Pluggable authentication module (PAM) library. The application (SSH) will call the Linux PAM interface and the interface will find the appropriate PAM module to respond to the type of authentication requested.

Type the following:

sudo apt-get install libpam-google-Authenticator

sudo apt-get installs libpam-google-authentifier in a terminal window.

Install the app

The Google Authenticator app is available for iPhone and Android, you just need to install the appropriate version for your mobile phone. You can also use Authy and other applications that support this type of authentication code.

Google Authenticator app icon on an Android cell phone.

Configuring two-factor authentication

In the account you will use when you connect to the Pi via SSH, run the following command (do not include the prefix sudo):

Google authenticator

You will be asked if you want the authentication tokens to be time-based; press Y, then press Enter.

A Quick response The code (QR) is generated, but it is scrambled because it is wider than the terminal window with 80 columns. Slide the larger window to see the code.

You will also see security codes below the QR code. These are written to a file called “.google_authenticator”, but you may want to make a copy now. If you lose the possibility of obtaining a TOTP (if you lose your mobile phone, for example), you can use these codes to authenticate yourself.

You must answer four questions, the first of which is:

Do you want me to update your “/home/pi/.google_authenticator” file? (we)

Press Y, then press Enter.

The next question asks if you want to prevent multiple uses of the same code in a 30-second window.

Press Y, then press Enter.

Do you want to prohibit multiple uses of the same authentication token? (y / n) in a terminal window.

The third question asks if you want to widen the window for accepting TOTP tokens.

Press N in response to this, then press Enter.

Do you want to do it? (y / n) in a terminal window.

The last question is: “Do you want to activate the speed limitation?”

Type Y, then press Enter.

Do you want to activate the speed limitation? (y / n) in a terminal window.

You return to the command prompt. If necessary, drag the larger terminal window and / or scroll up in the terminal window to see the full QR code.

On your mobile phone, open the authentication application, then tap the plus sign (+) at the bottom right of the screen. Select “Scan a QR code”, then scan the QR code in the terminal window.

A new entry will appear in the authentication application named after the Pi’s host name, and a six-digit TOTP code will be listed below. It is displayed as two groups of three digits for easy reading, but you must enter it as a six-digit number.

An animated circle next to the code indicates how long the code will be valid: a full circle means 30 seconds, a semi-circle means 15 seconds, etc.

Tie everything together

We have one more file to modify. We need to tell SSH which PAM authentication module to use:

sudo nano /etc/pam.d/sshd

sudo nano /etc/pam.d/sshd in a terminal window.

Type the following lines near the top of the file:

# 2FA

authentication required pam_google_authenticator.so

auth required pam_google_authenticator.so added to the sshd file in an editor, in a terminal window.

You can also choose when you want to be asked for the TOTP:

After entering your password: Type the preceding lines under “@include common-auth”, as shown in the image above.
Before asking you for your password: Type the preceding lines above “@include common-auth”.

Note the underscores (_) used in “pam_google_authenticator.so”, rather than the dashes (-) that we used previously with the apt-get command to install the module.

Press Ctrl + O to write the changes to the file, then press Ctrl + X to close the editor. We have to restart SSH one last time, then we’re done:

sudo systemctl restart ssh

sudo systemctl restart ssh in a terminal window.

Close this SSH connection, but let the other SSH safety net connection work until we have verified this next step.

Make sure the authentication application is open and ready on your mobile phone, then open a new SSH connection to the Pi:

ssh pi@watchdog.local

ssh pi@watchdog.local in a terminal window.

You will be asked for your password, then the code. Enter your mobile phone code without spaces between the numbers. Like your password, it does not echo on the screen.

If everything goes as planned, you should be allowed to connect to the Pi; otherwise, use your SSH safety net connection to review the previous steps.

Better safer than sorry

Have you noticed the “r” in “safer” above?

Indeed, you are now safer than you were before when you connect to a Raspberry Pi, but nothing is ever 100% sure. There are ways to bypass two-factor authentication. These are based on social engineering, the man in the middle and man attacks in the end, SIM exchange, and other advanced techniques which, of course, we will not describe here.

So why bother with all this if it is not perfect? Well, for the same reason that you lock your front door when you leave, even if there are people who can choose locks – most can’t.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.