How to set up two-factor authentication on a Raspberry Pi

A Raspberry Pi sitting on a laptop keyboard.
Kiklas / Shutterstock

The Raspberry Pi is everywhere now, which is why it has caught the attention of threat actors and cybercriminals. We’ll show you how to protect your Pi with two-factor authentication.

The amazing Raspberry Pi

The Raspberry Pi it is a single board computer. It was launched in the UK in 2012 with the intention of getting children to play, create and learn code. The original form factor was a credit card-sized plate, powered by a phone charger.

Provides HDMI output, USB ports, network connectivity, and runs Linux. Later additions to the line included even smaller versions designed to be incorporated into products or function as headless systems. Prices start at $ 5 for minimalists. Pi zero, at $ 75 for the Pi 4 B / 8 GB.

Its success has been incredible; more than 30 million of these little computers have been sold worldwide. Fans have done amazing and inspiring things with them, including floating one to the edge of space and back in a balloon.

Unfortunately, once a computing platform becomes widespread enough, it inevitably attracts the attention of cybercriminals. It’s terrible to think about how many Pi are using the default user account and password. If your Pi is public-facing and can be accessed from the Internet using Safe cover (SSH), it must be secure.

Even if you don’t have any valuable data or software on your Pi, you need to protect it because your Pi isn’t the real target, it’s just a way to get into your network. Once a threat actor has a foothold on a network, it will switch to the other devices that it is really interested in.

Two factor authentication

Authentication, or access to a system, requires one or more factors. The factors are classified as follows:

  • Something you know: Like a password or a phrase.
  • Something you have: Like a cell phone, a physical token, or a dongle.
  • Something that you are: A biometric reading, such as a fingerprint or a retinal scan.

Multi-factor authentication (MFA) requires a password and one or more items from the other categories. For our example, we will use a password and a cell phone. The cell phone will run a Google authentication application and the Pi will run a Google authentication module.

A cell phone app is linked to your Pi by scanning a QR code. This passes some of the initial information to your cell phone from the Pi, ensuring that its number generation algorithms produce the same codes simultaneously. The codes are called time-based one-time passwords (TOTP).

When you receive a connection request, your Pi generates code. You use the authentication app on your phone to see the current code, and then your Pi will ask for your password and authentication code. Both your password and TOTP must be correct before you are allowed to connect.

Setting up the Pi

If you usually use SSH on your Pi, it’s probably a headless system, so we’ll set it up over an SSH connection.

It is more secure to make two SSH connections: one to configure and test, and one to act as a safety net. This way, if your Pi crashes, you will still have the second active SSH connection active. Changing the SSH settings will not affect a connection in progress, so you can use the second to reverse any changes and remedy the situation.

If the worst happens and you are completely locked out via SSH, you will still be able to connect your Pi to a monitor, keyboard, and mouse, and then log into a regular session. That is, you can still log in, as long as your Pi can handle a monitor. However, if you can’t, you really need to keep your safety net SSH connection open until you’ve verified that two-factor authentication is working.

The last sanction, of course, is updating the operating system on the Pi micro SD card, but let’s try to avoid that.

First, we need to make our two connections to the Pi. Both commands have the following form:

ssh pi@watchdog.local

The name of this Pi is “watchdog”, but instead you will write your own. If you have changed the default username, use that too; ours is “pi”.

Remember, for safety, type this command twice in different terminal windows so that you have two connections to your Pi. Then minimize one of them, so that it does not get in the way and does not accidentally close.

After connecting, you will see the greeting message. The message will display the username (in this case, “pi”) and the name of the Pi (in this case, “watchdog”).

You need to edit the file “sshd_config”. We will do it in the nano text editor:

sudo nano /etc/ssh/sshd_config

Scroll through the file until you see the following line:

ChallengeResponseAuthentication no

Replace “no” with “yes”.

Press Ctrl + O to save your changes to nano, and then press Ctrl + X to close the file. Use the following command to restart the SSH daemon:

sudo systemctl restart ssh

You must install the Google authenticator, which is a Pluggable Authentication Module (PAM) library. The application (SSH) will call the Linux PAM interface and the interface finds the appropriate PAM module to service the type of authentication being requested.

Write the following:

sudo apt-get install libpam-google-authenticator

Installing the app

The Google Authenticator app is available for iPhone Y AndroidJust install the appropriate version for your cell phone. You can also use Authy and other applications that support this type of authentication code.

Google Authenticator application icon on an Android cell phone.

Two-factor authentication settings

In the account that you will use when connecting to the Pi via SSH, run the following command (do not include the sudo prefix):

google-authenticator

You will be asked if you want the authentication tokens to be time based; press Y, and then press Enter.

TO Fast answer A code (QR) is generated, but it is encoded because it is wider than the 80-column terminal window. Drag the larger window to see the code.

You will also see some security codes below the QR code. These are written to a file called “.google_authenticator”, but you may want to make a copy now. If you ever lose the ability to obtain a TOTP (if you lose your cell phone, for example), you can use these codes to authenticate yourself.

You must answer four questions, the first of which is:

Do you want me to update your "/home/pi/.google_authenticator" file? (y/n)

Press Y, and then press Enter.

The next question is whether you want to avoid multiple uses of the same code within a 30 second window.

Press Y, and then press Enter.

The third question is whether you want to widen the acceptance window for TOTP tokens.

Press N in response to this, and then press Enter.

The last question is: “Do you want to enable speed limiting?”

Type Y and then press Enter.

You will return to the command prompt. If necessary, drag the terminal window wider and / or scroll up in the terminal window so that you can see the full QR code.

On your cell phone, open the Authentication app and then press the plus sign (+) at the bottom right of the screen. Select “Scan a QR code” and then scan the QR code in the terminal window.

A new entry will appear in the authenticate app with the name of the Pi hostname, and a six-digit TOTP code will appear below it. It is displayed as two groups of three digits for easy reading, but you must type it as a one- and six-digit number.

An animated circle next to the code indicates how long the code will be valid: a full circle means 30 seconds, a semi-circle means 15 seconds, and so on.

Link it all together

We have one more file to edit. We have to tell SSH which PAM authentication module to use:

sudo nano /etc/pam.d/sshd

Write the following lines near the top of the file:

#2FA

auth required pam_google_authenticator.so

You can also choose when you want the TOTP to be requested:

  • After you have entered your password: Write the above lines under “@include common-auth”, as shown in the image above.
  • Before being asked for your password: Write the above lines about “@include common-auth”.

Note the underscores (_) used in “pam_google_authenticator.so”, instead of the underscores (-) we used earlier with the apt-get command to install the module.

Press Ctrl + O to write your changes to the file, and then press Ctrl + X to close the editor. We need to restart SSH one last time, and then we finish:

sudo systemctl restart ssh

Close this SSH connection, but leave the other SSH connection from the safety net running until we have verified the next step.

Make sure the auth app is open and ready on your cell phone, and then open a new SSH connection to the Pi:

ssh pi@watchdog.local

You should be prompted for your password and then the code. Write your cell phone code without spaces between the numbers. Like your password, it is not reflected on the screen.

If all goes according to plan, you should be able to connect to the Pi; if not, use your safety net SSH connection to review the steps above.

Better safer than sorry

Did you notice the “r” in “safest” above?

In fact, you are now more secure than before when connecting to a Raspberry Pi, but nothing is 100% secure. There are ways to bypass two-factor authentication. These are based on social engineering, man-in-the-middle and man-the-endpoint attacks, SIM swapping, and other advanced techniques that we are obviously not going to describe here.

So why bother with all of this if it’s not perfect? Well, for the same reason that you lock your door when you leave, although there are people who can open the locks, most cannot.

Leave a Reply