SSH is one of the most popular ways to control your Raspberry Pi from your laptop or PC. Here you will learn how to set up two-factor authentication for your SSH access to Raspberry Pi and add an extra layer of security to it.
ContentsUpdate your PiEnable SSHRequire identity authentication, with challenge-responseConfigure two-factor authenticationCreate a connection:link your Pi to your mobile deviceLinux pluggable authentication modulesNote :If you use an SSH key file to access your Raspberry Pi, two-factor authentication will not be used.
Assuming you've already configured your Raspberry Pi with Raspberry Pi OS, it's best to first check that all your software is up to date. Open a terminal and type the following command:
sudo apt update &&sudo apt -y upgrade
Raspberry Pi OS has the SSH server disabled by default. Before you can connect to your Pi via SSH, you must activate it by running the following Terminal commands:
sudo systemctl enable sshsudo systemctl start ssh
You can now save the updated "sshd_config" file by pressing Ctrl + O , followed by Ctrl + X .
Back in Terminal, restart the SSH daemon with your new configuration:
sudo systemctl restart ssh
Since changes have been made to the SSH configuration, it's a good idea to check that you can still connect to your Raspberry Pi via SSH.
To connect to the SSH server, you'll need to know your Raspberry Pi's IP address. If you don't already have this information, run the following command on your Pi:
hostname -I
This will return the IP address you should use.
Switch to your laptop or computer, launch a Terminal then connect to your Raspberry Pi, making sure to replace "10.3.000.0" with your unique IP address:
ssh [email protected]
You are now connected in SSH.
Next, download the Authenticator app for generating the single sign-on code. There are various authenticator apps on the market, but I'm using Google Authenticator for this tutorial, which is available for both iOS and Android.
Once you have downloaded this mobile application, you will also need to install the Google Authenticator PAM module on your Raspberry Pi.
On your Pi, open a Terminal window and run the following command:
sudo apt install libpam-google-authenticator
Once Google Authenticator is installed on your Raspberry Pi and mobile device, you are ready to set up two-factor authentication.
To create a link between your mobile application and your Raspberry Pi, generate a QR code on your Pi then scan this code using your smartphone or tablet.
To generate the QR code, return to your Raspberry Pi and run the following Terminal command:
google-authenticator
Your Raspberry Pi will ask you if its authentication tokens should be time limited. Since it's more secure, you generally want to generate time-based authentication tokens, unless you have a specific reason not to.
The terminal will generate a QR code, but you may need to resize the terminal to see the full barcode.
There is also a series of emergency codes. If you ever lose, misplace, or break your mobile device, these codes will allow you to access your Raspberry Pi via SSH, even without your mobile device. Don't risk getting locked out of your Raspberry Pi. Write down these codes and keep them in a safe place.
Use this QR code to connect your Raspberry Pi to the Google Authenticator app:
1. On your smartphone or tablet, launch the Google Authenticator app.
2. In the bottom right corner, tap the "+" sign.
3. Select "Scan QR Barcode". When prompted, allow the app to access your device's camera.
4. Hold your device's camera in front of your monitor and point it over the QR code. As soon as your smartphone or tablet recognizes the QR code, it creates an account and starts generating authentication codes automatically.
5. Return to your Raspberry Pi; the Terminal will offer to update your "google_authenticator" file. press Yes key on your keyboard.
6. You will be asked if you want to prevent multiple people from using the same authentication token. press Yes key on your keyboard.
7. When asked if you want to increase the time offset window, press N , as it will help protect you against brute force attacks.
8. The terminal will now ask you to enable rate limiting, which will limit you (and potential hackers!) to three connection attempts every 30 seconds. Rate limiting can help protect against brute force and other password-based attacks, so you should choose "Yes" unless you have a specific reason not to.
Finally, you need to enable two-factor authentication on your Raspberry Pi using Linux Pluggable Authentication Modules (PAM).
To get started, open the "sshd" file in the Nano text editor:
Add the following line:
auth required pam_google_authenticator.so
However, where you add the following line is important:
1. After entering your password
If you want to be prompted for a one-time passcode after entering your Raspberry Pi password, add this line after @include .
2. Before entering your password
If you want to be prompted to enter your one-time authentication code before entering your password, add this line before @include .
Once these changes are made, save your file by pressing Ctrl + O , followed by Ctrl + X .
Restart the SSH daemon:
sudo systemctl restart ssh
Now every time you try to log in via SSH, you will be prompted for a unique verification code.
Now that you've set up two-factor authentication on your Raspberry Pi, you can proceed to setting up your personal web server or music server. You can also further increase your SSH security with these tips.
