How To Set Up Two-Factor Authentication On A Raspberry Pi
The Amazing Raspberry Pi
The Raspberry Pi is a single-board computer. It launched in the U.K. in 2012 with the intent of getting children to tinker with, create, and learn code. The original form factor was a credit-card-sized board, powered by a phone charger.
It provides HDMI output, USB ports, network connectivity, and runs Linux. Later additions to the line included even smaller versions designed to be incorporated in products or run as headless systems. Prices range from $5 for the minimalist Pi Zero to $75 for the Pi 4 B/8 GB.
Two-Factor Authentication
Authentication or gaining access to a system requires one or more factors. Factors are categorized as the following:
- Something you know: Such as a password or -phrase.
- Something you have: Like a cell phone, physical token, or dongle.
- Something you are: A biometric reading, like a fingerprint or retinal scan.
Multifactor authentication (MFA) requires a password and one or more items from the other categories. For our example, we’re going to use a password and cell phone. The cell phone will run a Google authenticator app, and the Pi will run a Google authentication module.
A cell phone app is linked to your Pi by scanning a QR code. This passes some seed information to your cell phone from the Pi, ensuring their number-generation algorithms produce the same codes simultaneously. The codes are referred to as time-based, one-time passwords (TOTP).
When it receives a connection request, your Pi generates a code. You use the authenticator app on your phone to see the current code, and then your Pi will ask you for your password and authentication code. Both your password and the TOTP must be correct before you’re allowed to connect.
Configuring the Pi
If you usually SSH onto your Pi, it’s likely it’s a headless system, so we’ll configure it over an SSH connection.
It’s safest to make two SSH connections: one to do the configuring and testing, and another to act as a safety net. This way, if you lock yourself out of your Pi, you’ll still have the second active SSH connection active. Changing SSH settings won’t affect an in-progress connection, so you can use the second one to reverse any changes and remedy the situation.
If the worst happens and you’re completely locked out via SSH, you’ll still be able to connect your Pi to a monitor, keyboard, and mouse, and then log in to a regular session. That is, you can still sign in, as long as your Pi can drive a monitor. If it can’t, however, you really need to keep the safety net SSH connection open until you’ve verified that two-factor authentication is working.
The ultimate sanction, of course, is to reflash the operating system onto the Pi’s micro SD card, but let’s try to avoid that.
First, we need to make our two connections to the Pi. Both commands take the following form:
ssh pi@watchdog.local
The name of this Pi is “watchdog,” but you’ll type the name yours instead. If you’ve changed the default username, use that, too; ours is “pi.”
Remember, for safety, type this command twice in different terminal windows so you have two connections to your Pi. Then, minimize one of them, so it’s out of the way and won’t be closed accidentally.
After you connect, you’ll see the greeting message. The prompt will show the username (in this case, “pi”), and the name of the Pi (in this case, “watchdog”).
You need to edit the “sshd_config” file. We’ll do so in the nano text editor:
sudo nano /etc/ssh/sshd_config
Scroll through the file until you see the following line:
ChallengeResponseAuthentication no
Replace the “no” with “yes.”
Press Ctrl+O to save your changes in nano, and then press Ctrl+X to close the file. Use the following command to restart the SSH daemon:
sudo systemctl restart ssh
You need to install the Google authenticator, which is a Pluggable Authentication Module (PAM) library. The application (SSH) will call the Linux PAM interface, and the interface finds the appropriate PAM module to service the type of authentication being requested.
Type the following:
sudo apt-get install libpam-google-authenticator
Installing the App
The Google Authenticator app is available for iPhone and Android, so just install the appropriate version for your cell phone. You can also use Authy and other apps that support this type of authentication code.
Configuring Two-Factor Authentication
In the account, you’ll be using when you connect to the Pi via SSH, run the following command (do not include the sudo prefix):
google-authenticator
You’ll be asked if you want the authentication tokens to be time-based; press Y, and then hit Enter.
A Quick Response (QR) code is generated, but it’s scrambled because it’s wider than the 80-column terminal window. Drag the window wider to see the code.
You’ll also see some security codes beneath the QR code. These are written to a file called “.google_authenticator,” but you might want to make a copy of them now. If you ever lose the ability to obtain a TOTP (if you lose your cell phone, for example), you can use these codes to authenticate.
You must answer four questions, the first of which is:
Do you want me to update your "/home/pi/.google_authenticator" file? (y/n)
Press Y, and then hit Enter.
The next question asks whether you want to prevent multiple uses of the same code within a 30-second window.
Press Y, and then hit Enter.
The third question asks whether you want to widen the window of acceptance for the TOTP tokens.
Press N in answer to this, and then press Enter.
The last question is: “Do you want to enable rate-limiting?”
Type Y, and then hit Enter.
