Enabling two factor authentication (2FA) to enhance the security of your important accounts is becoming more and more common these days. However, you might be surprised to learn that you can do the same with Raspberry Pi. You can enable 2FA on Raspberry Pi, and then you will be prompted to enter the verification code when accessing remotely via Secure Shell (SSH).
Access to your Raspberry Pi through SSH
Many people use Raspberry Pi at home as a file or media server . This has become quite common with
However, it is also quite common to set up your server so that you can access your files when you are away from home, making your Raspberry Pi available from the Internet.
Most of us don’t intend to leave home often yet, but if you took the time right now to build a file server, you may want to consider adding extra security. If you’re going to make the server available from the Internet, you’ll probably want to enable two-factor authentication (2FA) using a one-time
What is two-factor authentication?
Two-factor authentication is an additional level of protection. In addition to the password, “something you know”, you will need another information to login. This second factor will be based either on “what you have”, like a smartphone, or on “what you are”, “like biometric information.
We are going to set “what you have” and use your smartphone as the second factor to protect your Raspberry Pi.
Operating System Upgrade
The first thing you need to do is make sure that your Raspberry Pi is installed
$ sudo apt-get update $ sudo apt-get fullupgrade
However, if this is the first time you take your Raspberry Pi out of a box, you may want to install a new copy of Raspbian
Enable Secure Shell
In Raspbian, the SSH server
The easiest way to enable SSH is from your desktop. Go to the Raspbian menu and select “Settings> Raspberry Pi Configuration”. Then select the “Interfaces” tab and click the switch to enable SSH, then click “OK”.
You can also turn it on from the command line using systemctl :
$ sudo systemctl on ssh $ sudo systemctl start ssh
You can also enable SSH with
Then we need to tell the SSH daemon to enable “request-response” passwords. Go ahead and open the SSH configuration file:
$ sudo nano / etc / ssh / sshd_config
Enable the response by changing the ChallengeResponseAuthentication from ” no” by default to ” yes”.
Editing / etc / ssh / ssd_config .
Then restart SSH daemon :
$ sudo systemctl reload ssh
A good idea is to open the terminal on your laptop and make sure that you can still connect to Raspberry Pi via SSH at this stage, although you will not yet be prompted to enter the 2FA code. It is prudent to check that at this stage still works.
Setup Two-Factor Authentication
The first thing you need to do is to upload to your phone the application that will generate TOTP. One of the most frequently used is Google Authenticator. It is available for
Google Authenticator in the App Store.
$ sudo apt install libpam-google-authentication
Now we have two-factor authentication installed on both our phone and Raspberry Pi, and we are ready to start configuring it.
Two Factor Authentication Configuration
Now you should launch Google Authenticator from the command line – without using sudo – at your Raspberry Pi in order to generate a QR code:
After that you probably will have to change the size of the terminal window in order a QR code will be displayed correctly. Unfortunately, it is a little wider than the standard 80 symbols.
QR code generated by Google-Authenticator . Don’t worry, it isn’t a QR code of my key; I have created one only for this post, which wasn’t used.
Don’t move forward yet! Before doing anything else, copy the codes of the emergency services and put them in a safe place.
These codes will allow you to access Raspberry Pi – and turn off 2FA – if you lose your phone. Without them, you will not be able to connect to Raspberry Pi over SSH if you lose or break the device you are using for authentication.
Then, before we continue to work with Google Authenticator on Raspberry Pi, open the Google Authenticator application on your phone and click the plus sign (+) in the upper right corner, then click “Scan the bar code”.
Your phone will ask you if you want to allow the application to access your camera; you must say “Yes”. The camera view will be displayed. Place the barcode right in the green field on the screen.
Scanning a QR code by means of the application Google Authenticator.
As soon as the application of your phone recognizes a QR code, it will add your new account and automatically start generating TOTP codes.
TOTP in Google Authenticator application.
Your phone will generate a new one-time password every thirty seconds. However this code will not be so useful until we finish what we did on your Raspberry Pi. Go back to the terminal window and answer “Y” to the question whether Google Authenticator should update your .google_authenticator file .
Then answer “Y” to prohibit multiple use of the same authentication token, “N” to increase the time shift window and “Y” to limit the speed to protect against brute force attacks.
You are done here. Now all we have to do is to enable 2FA.
Enable two-factor authentication
We are going to use Linux Authentication plug-ins (PAM) which provide dynamic authentication support for applications and services to add 2FA to SSH on Raspberry Pi.
Now we need to configure PAM to add 2FA:
$ sudo nano /etc/pam.d/sshd
Add the pam_google_authenticator.so required for authentication to the beginning of the file. You can do this above or below the line @include common-auth .
Editing /etc/pam.d/sshd .
Since I prefer to receive a confirmation code request after entering a password, I added this line after the line @include . If you want the code to be requested before entering the password, you must add it before the line @include .
Now restart the SSH daemon :
$ sudo systemctl restart ssh
Then open the terminal window on your laptop and try to connect to Raspberry Pi via SSH.
If everything went according to plan, when you connect to Raspberry Pi via SSH, you will be offered to enter TOTP after password request.
SSH to my Raspberry Pi.
You should open Google Authenticator on your phone and enter the six-digit code when prompted. Then you should enter into your Raspberry Pi as usual.