SSH is one of the most popular ways to control your Raspberry Pi from your laptop or PC. Here you’ll learn how to set up two-factor authentication for your SSH access to Raspberry Pi and add an extra layer of security to it.
Note: If you are using SSH key-file to access your Raspberry Pi, the two-factor authentication won’t be in use.
Update your Pi
Assuming you have already set up your Raspberry Pi with Raspberry Pi OS, it’s best to first check that all your software is up to date. Open a terminal and type the following command:
Raspberry Pi OS has the SSH server disabled by default. Before you can connect to your Pi via SSH, you need to enable it by running the following Terminal commands:
You’ll can now connect to the SSH server.
Require identify authentication, with challenge-response
Ultimately, your Raspberry Pi needs to challenge you to authenticate your identity and then process your response, which means you need to enable challenge-response passwords.
To start, open the SSH config file for editing by running the following Terminal command:
Within this file, find the ChallengeResponseAuthentication section and change it from “no” to “yes.”
You can now save the updated “sshd_config” file by pressing Ctrl + O , followed by Ctrl + X .
Back in the Terminal, restart the SSH daemon with your new configuration:
Since changes have been made to the SSH configuration, it’s a good idea to check that you can still connect to your Raspberry Pi over SSH.
To connect to the SSH server, you’ll need to know the IP address of your Raspberry Pi. If you don’t already have this information, then run the following command on your Pi:
This will return the IP address you need to use.
Switch over to your laptop or computer, launch a Terminal and then connect to your Raspberry Pi, being sure to replace “10.3.000.0” with your unique IP address:
You are now connected over SSH.
Setting Up Two-Factor Authentication
Next, download the Authenticator application for the generation of the one-time authentication code. There are various authentication apps on the market, but I’m using Google Authenticator for this tutorial, which is available for both iOS and Android.
Once you’ve downloaded this mobile application, you’ll also need to install the Google Authenticator PAM module on your Raspberry Pi.
On your Pi, open a Terminal window and run the following command:
Once Google Authenticator is installed on both your Raspberry Pi and your mobile device, you’re ready to set up two-factor authentication.
Create a connection: linking your Pi to your mobile device
To create a link between your mobile application and your Raspberry Pi, generate a QR code on your Pi and then scan this code using your smartphone or tablet.
To generate the QR code, switch back to your Raspberry Pi and run the following Terminal command:
Your Raspberry Pi will ask whether its authentication tokens should be time-restricted. Since it’s more secure, you typically want to generate time-based authentication tokens unless you have a specific reason not to.
The Terminal will generate a QR code, although you may need to resize the Terminal in order to see the full barcode.
There is also a series of emergency codes. If you ever lose, misplace or break your mobile device, these codes will allow you to access your Raspberry Pi over SSH, even without your mobile device. Don’t risk getting locked out of your Raspberry Pi. Make a note of these codes and store them somewhere safe.
Use this QR code to connect your Raspberry Pi to the Google Authenticator app:
1. On your smartphone or tablet, launch the Google Authenticator app.
2. In the bottom-right corner, tap the “+” sign.
3. Select “Scan a QR barcode.” When prompted, grant the app permission to access your device’s camera.
4. Hold your device’s camera up to your monitor and position it over the QR code. As soon as your smartphone or tablet recognizes the QR code, it’ll create an account and start generating authentication codes automatically.
5. Switch back to your Raspberry Pi; the Terminal will prompt you to update your “google_authenticator” file. Press the Y key on your keyboard.
6. You’ll be asked whether you want to prevent multiple people from using the same authentication token. Press the Y key on your keyboard.
7. When asked whether you want to increase the time skew window, press N , as this will help protect you against brute-force attacks.
8. The Terminal will now ask you to enable rate-limiting, which will restrict you (and potential hackers!) to three login attempts every 30 seconds. Rate-limiting can help protect you against brute-force and other password-based attacks, so you should opt for “Yes” unless you have a specific reason not to.
Linux Pluggable Authentication Modules
Finally, you need to enable two-factor authentication to your Raspberry Pi using the Linux Pluggable Authentication Modules (PAM).
To start, open the “sshd” file in the Nano text editor:
Add the following line:
However, where you add the following line matters:
1. After entering your password
If you want to be prompted for a one-time authentication code after entering your Raspberry Pi’s password, then add this line after @include .
2. Before entering your password
If you want to be prompted for your one-time authentication code before entering your password, add this line before @include .
Once you’ve made these changes, save your file by pressing Ctrl + O , followed by Ctrl + X .
Restart the SSH daemon:
Now every time you try to connect over SSH, you’ll be asked for a one-time verification code.
Now that you have set up two-factor authentication on your Raspberry Pi, you can proceed to set up your personal web server or a music server. You can also further increase the security of your SSH with these tricks.
Never Miss Out
Receive updates of our latest tutorials.
Jessica Thornsby is a technical writer based in Derbyshire, UK. When she isn’t obsessing over all things tech, she enjoys researching her family tree, and spending far too much time with her house rabbits.
For super-safety, require two-factor or two-step authentication when SSH’ing. The Google Authenticator app can be used for this.
For TFA to work, the system clock of your Pi should have accurate time and timezone. Type date to check if the time and timezone are correct. If the timezone is correct but the time is not, you can force the ntp-daemon (the process that syncs the clock with the internet) to refresh:
If date displays the wrong timezone, fix it like this: first, get a list of available timezones:
Backup your current timezone settings:
And create a link to the new timezone of your chosing:
The easy install is this:
However, this is an old version that does not support (i) SSH’ing for users who do not have TFA configured and (ii) disabling TFA when SSH’ing from LAN or specific ip. To get a more recent version, follow the following steps (from here). I haven’t checked this myself (I’m using the old version), but here’s a quote from the linked website:
“When using a Debian-like OS, you can install it with a one-liner:
But note the packaged version is old and does not support all documented options. Below I talk about the ‘nullok’ option, but that is not supported in the packaged version. You then see this error:
That’s why I suggest building from source, as this can be done quickly:
Next, set-up TFA for your account (probably ‘pi‘).
Scan the barcode, follow the steps, then edit the following file:
and make sure ChallengeResponseAuthentication is set to yes .
Edit /etc/pam.d/sshd too, and add this at the very top:
Logout, login and have fun. If it doesn’t ask for a code but keeps saying ‘password denied‘, then you didn’t do that last refresh.
Disable TFA on LAN (more info)
Before this works, make sure you did the ‘complicated’ install described earlier (easy install through apt-get installs a version that is too old).
To skip 2-step from LAN sessions, create the file mentioned above:
This tutorial is about the How to Set Up Two-Factor Authentication on Raspberry Pi. We will try our best so that you understand this guide. I hope you like this blog How to Set Up Two-Factor Authentication on Raspberry Pi. If your answer is yes then please do share after reading this.
- Check How to Set Up Two-Factor Authentication on Raspberry Pi
- How to set up two-factor authentication on a Raspberry Pi
- upgrade your pi
- Enable SSH
- Require identity authentication, with challenge-response
- Configuring two-factor authentication
- Create a connection: linking your Pi to your mobile device
- Final words: How to Set Up Two-Factor Authentication on Raspberry Pi
Check How to Set Up Two-Factor Authentication on Raspberry Pi
Enabling two-factor authentication (2FA) to increase the security of your important accounts is becoming more and more common these days. However, you may be surprised to learn that you can do the same with your Raspberry Pi. You can enable 2FA on the Raspberry Pi and then you will be prompted for a verification code when you access remotely via Secure Shell (SSH). Two-factor authentication is an additional layer of protection. In addition to a password, “something you know”, you need one more piece of information to log in. This second factor is based on “something you have”, such as a smartphone, or “something you are”, such as biometric information. .
We’ll go ahead and configure “something you have” and use your smartphone as the second factor to protect your Raspberry Pi. Many people use a Raspberry Pi as a file or media server at home. This has become quite common with the introduction of the Raspberry Pi 4, which has USB 3 and Gigabit Ethernet. However, when setting up this type of server, you often want to run it “headless”. no monitor, keyboard or mouse.
This is especially true if you intend to hide your Raspberry Pi behind your TV or somewhere else. In either case, this means that you must enable Secure Shell (SSH) for remote access. However, it’s also common to set up your server so you can access your files when you’re away from home, making your Raspberry Pi accessible over the Internet.
How to set up two-factor authentication on a Raspberry Pi
upgrade your pi
Assuming you’ve already set up your Raspberry Pi with the Raspberry Pi operating system, it’s best to first check that all your software is up to date. Open a terminal and type the following command:
- sudo apt update && sudo apt -y update
Raspberry Pi OS has the SSH server disabled by default. Before you can connect to your Pi via SSH, you must enable it by running the following Terminal commands:
- sudo systemctl enable ssh
- sudo systemctl start ssh
Require identity authentication, with challenge-response
Ultimately, your Raspberry Pi must challenge you to authenticate your identity and then process your response, which means you must enable challenge and response passwords. To get started, open the SSH configuration file for editing by running the following Terminal command:
- sudo nano /etc/ssh/sshd_config
Within this file, find the Challenge Response Authentication section and change it from ‘no’ to ‘yes’. You can now save the updated “sshd_config” file by pressing Ctrl + O, followed by Ctrl + X. Back in Terminal, restart the SSH daemon with your new settings:
- sudo systemctl restart ssh
Since changes have been made to the SSH configuration, it’s a good idea to verify that you can still connect to your Raspberry Pi via SSH. To connect to the SSH server, you will need to know the IP address of your Raspberry Pi. If you don’t already have this information, run the following command on your Pi:
This will return the IP address you need to use. Switch to your laptop or computer, launch a Terminal, and then connect to your Raspberry Pi, making sure to replace “10.3.000.0” with your unique IP address:
Configuring two-factor authentication
Next, download the Authenticator app for one-time authentication code generation. There are several authenticator apps on the market, but I’m using Google Authenticator for this tutorial, which is available for both iOS and Android.
Once you have downloaded this mobile app, you will also need to install the Google Authenticator PAM module on your Raspberry Pi. On your Pi, open a Terminal window and run the following command:
- sudo apt install libpam-google-authenticator
Once Google Authenticator is installed on both your Raspberry Pi and mobile device, you are ready to set up two-factor authentication.
Create a connection: linking your Pi to your mobile device
To create a link between your mobile app and your Raspberry Pi, generate a QR code on your Pi and then scan this code with your smartphone or tablet. To generate the QR code, go back to your Raspberry Pi and run the following Terminal command:
Your Raspberry Pi will ask you if your authentication tokens should have a time constraint. Since it’s more secure, you typically want to generate time-based auth tokens unless you have a specific reason not to. The Terminal will generate a QR code, although you may need to resize the Terminal to see the full barcode.
There are also a number of emergency codes. If you ever lose, misplace, or break your mobile device, these codes will allow you to access your Raspberry Pi via SSH, even without your mobile device. Don’t risk being left without access to your Raspberry Pi. Make a note of these codes and keep them in a safe place. Use this QR code to connect your Raspberry Pi to the Google Authenticator app:
- On your smartphone or tablet, launch the Google Authenticator app.
- In the bottom right corner, tap on the “+” sign.
- Select “Scan a QR barcode”. When prompted, give the app permission to access your device’s camera.
- Hold your device’s camera in front of your monitor and hover it over the QR code. As soon as your smartphone or tablet recognizes the QR code, it will create an account and start generating authentication codes automatically.
- Go back to your Raspberry Pi; Terminal will prompt you to update your “google_authenticator” file. Press the Y key on your keyboard.
- You will be asked if you want to prevent multiple people from using the same authentication token. Press the Y key on your keyboard.
- When asked if you want to increase the time bypass window, press N as this will help protect against brute force attacks.
- Terminal will now prompt you to enable rate limiting, which will restrict you (and would-be hackers!) to three login attempts every 30 seconds. Rate limiting can help protect against brute-force and other password-based attacks, so you should opt for “Yes” unless you have a specific reason not to.
Final words: How to Set Up Two-Factor Authentication on Raspberry Pi
I hope you understand this article How to Set Up Two-Factor Authentication on Raspberry Pi, if your answer is no then you can ask anything via contact forum section related to this article. And if your answer is yes then please share this article with your family and friends.
This guide is about How to Set Up Two-Factor Authentication on Raspberry Pi. So read this free guide, How to Set Up Two-Factor Authentication on Raspberry Pi step by step. If you have query related to same article you may contact us.
- How to Set Up Two-Factor Authentication on Raspberry Pi – Guide
- How to To define Up Two-Factor Authentication on a Raspberry Pi
- Update your Pi
- enable SSH
- Require ID authentication, with challenge-response
- Context Up Two-factor authentication
- Create a connection: linking your Pi to yours mobile device
- Final note
How to Set Up Two-Factor Authentication on Raspberry Pi – Guide
Enabling two-factor authentication (2FA) to increase the security of your important accounts is becoming increasingly common these days. However, you might be surprised to learn that you can do the same with your Raspberry Pi. You can enable 2FA on the Raspberry Pi and then be prompted for a verification code when accessing it remotely via Secure Shell (SSH). Two-factor authentication is an additional layer of protection. In addition to a password, “something you know”, you need one more piece of information to log in. This second factor is based on “something you have” like a smartphone, or “something you are” like biometric information.
We go ahead and set up “something you have” and use your smartphone as the second factor to protect your Raspberry Pi. Many people use a Raspberry Pi as a file or media server on home. This became quite common with the introduction of the Raspberry Pi 4, which has USB 3 and Gigabit Ethernet. However, when defining up this type of server, you often want to run it “headless”. without monitor, keyboard or mouse.
This is especially true if you intend to hide your Raspberry Pi behind your TV or in some other location. Either way, that means you need to enable Secure Shell (SSH) for remote access. However, it is also common to define up your server so you can access your files when you’re away home, making your Raspberry Pi accessible over the Internet.
How to To define Up Two-Factor Authentication on a Raspberry Pi
Update your Pi
Assuming you have already set up your Raspberry Pi with the Raspberry Pi OS, it is best to first check that all your software is up Until the present date. Open a terminal and type the following command:
The Raspberry Pi OS has the SSH server disabled by default. Before connecting to your Pi via SSH, you need to enable it by running the following Terminal commands:
Require ID authentication, with challenge-response
Finally, your Raspberry Pi needs to challenge you to authenticate your identity and then process your response, which means you need to enable challenge response passwords. To get started, open the SSH configuration file for editing by running the following Terminal command:
In that file, find the Challenge Response Authentication section and change it from “no” to “yes”. You can now save the updated “sshd_config” file by pressing Ctrl + O, followed by Ctrl + X. Back in the Terminal, restart the SSH daemon with your new configuration:
Since changes have been made to the SSH configuration, it’s a good idea to check if you can still connect to your Raspberry Pi over SSH. To connect to the SSH server, you will need to know the IP address of your Raspberry Pi. If you don’t already have this information, run the following command on your Pi:
This will return the IP address you need to use. change to your laptop or computer, launch a Terminal and connect to your Raspberry Pi, making sure to replace “10.3.000.0” with your unique IP address:
Context Up Two-factor authentication
Then download the Authenticator app to generate the one-time authentication code. There are several authentication apps on the market, but I am using Google Authenticator for this tutorial, which is available for iOS and Android.
After downloading this mobile application, you will also need to install the Google Authenticator PAM module on your Raspberry Pi. On your Pi, open a Terminal window and run the following command:
Once Google Authenticator is installed on your Raspberry Pi and your mobile device, you are ready to set up two-factor authentication.
Create a connection: linking your Pi to yours mobile device
To create a link between your mobile app and your Raspberry Pi, generate a QR code on your Pi, then scan that code using your smartphone or tablet. To generate the QR code, go back to your Raspberry Pi and run the following Terminal command:
Your Raspberry Pi will ask if your auth tokens should be time-constrained. Since it’s more secure, you’ll typically want to generate time-based authentication tokens unless you have a specific reason not to. The Terminal will generate a QR code, although you may need to resize the Terminal to see the full barcode.
There are also a number of emergency codes. If you lose, lose or break your mobile device, these codes will allow you to access your Raspberry Pi via SSH, even without your mobile device. Don’t risk being locked out of your Raspberry Pi. Write down these codes and keep them somewhere safe. Use this QR code to connect your Raspberry Pi to the Google Authenticator app:
I hope you like the guide How to Set Up Two-Factor Authentication on Raspberry Pi. In case if you have any query regards this article you may ask us. Also, please share your love by sharing this article with your friends.
It took me a while but I finally found someone that had solved this. I am linking the solution. However, typing in a password and following it up with the one-time-password (OTP) is *extremely* user unfriendly. Anything that is hard to do to make better security actually makes worse security. Instead my approach protects the private keys with a password, and you then only use the OTP as the user’s password each login.
So, here is the process. Assuming you have pivpn already installed and working with an OpenVPN configuration.
- Install google authenticator on the pi: sudo apt-get install libpam-google-authenticator
- Edit your openvpn server configuration: sudo nano /etc/openvpn/server.conf and add plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn (to use google authenticator) and reneg-sec 0 (to not reconnect every x minutes as the password changes every few seconds).
- NOTE: This will make this server configuration only work with OTP. If you have accounts that will just be using passwords then you will need to have a separate server configuration and separate port for that. Info on how to do that is here.
- Create a pam.d openvpn profile: sudo cp /etc/pam.d/common-account /etc/pam.d/openvpn
- Edit it sudo nano /etc/pam.d/openvpn to add this line at the end: auth required pam_google_authenticator.so
- Now run sudo service openvpn restart to reload the configuration change.
Now, create your user. For this to work you will use system accounts (accounts you use to log to your raspberry like ‘pi’). You can create as many account as you with the sudo adduser username command. The user’s password really doesn’t matter. Once you’ve created the user:
- login as the user on the raspberry pi: sudo su – username (replace username with the actual username)
- run the google-authenticator command and follow the instructions (save the barcode url for next step, or import it directly on the user’s device at that time)
- Type exit to get out of that user’s shell and return to your own.
- Executing google-authenticator adds a file .google_authenticator in the user’s home directory. This file must have no rights except read for the user, so run sudo chmod 400 /home/username/.google_authenticator (change to the correct username)
- create a pivpn account with the exact same name as the user : pivpn -a Note: the username must be the same than the system account. (The original directions suggest doing this with no password; It is safer to use a password to protect the private key. The password used here will need to be communicated safely to the user)
- edit the freshly created username.ovpn file and add the lines auth-user-pass (to tell the client to request username and password on connection) and reneg-sec 0 (to not reconnect every x minutes as the password changes every few seconds)
Now, just install your .OVPN file on your client. (You can save the private key password if your client supports it, or require prompting for it every time.) Use the barcode URL generated earlier to show the QR Code for import into your authenticator app on your mobile device, and profit!
Login with the same username and the OTP as the password. (The private key password being the one used when you created the account with the pivpn -a command.) You’re now using multifactor authentication!. Something you know (the private key password) and something you have (your authenticator app which is a one-time-password generator).
2 thoughts on “ PIVPN with 2-Factor Authentication ”
Good way of telling, and pleasant post to get data concerning my presentation subject matter, which i am going to convey in academy.
11:14 am July 1, 2021 By Julian Horsey
Raspberry Pi enthusiasts searching for a new project to keep them busy this weekend may be interested in this excellent Pi two-factor authentication project featured on the official Raspberry Pi MagPi website and official Raspberry Pi magazine and has been created by maker Angainor. Aptly named the Picoth the project is featured in issue 107 which also provides more information on “how to solve Raspberry Pi boot problems, fix audio and video issues, decipher error codes and get your Raspberry Pi working again. Learn to fix common trip-ups and become a Raspberry Pi Genius.”
The project uses a Raspberry Pi Pico microcontroller connected to a display and keypad and uses the MicroPython programming language combined with Pimoroni libraries. Angainor compiled everything himself as the Pimoroni firmware lacked the SHA-256 and SHA-1 he needed, editing the display library code since the pins were hard-coded.
“This first goal of the project was to have something I feel the need for every single day: a small and trustable device that can keep my various 2FA authentications safe and always at hand,” says Angainor of why he created Picoth. Raspberry Pi Pico “handles the hardware – a 4×4 matrix keypad and its 16 RGB LEDs, the 240×135 TFT colour screen, and a clock module – as well as all the software: code generation, USB_HID emulation, and animations”.
“Picoth is a “small USB keypad with RGB buttons and a nice colour TFT screen. Just plug it in and you get a powerful authentication assistant that will type in your 2FA (two-factor authentication) codes for you. You can store up to ten codes per page, with any number of pages you need,” making it ideal for online banking, GitHub, Twitter, and messaging platforms.
Rather than having to unlock the phone, open the authenticator app, scroll to find the code, then type it in within a few seconds, Angainor says Picoth is set up with one touch to display the code with its label and one touch to auto-type it. Furthermore, the screen displays the remaining time, since 2FA codes change every 30 seconds.”
I put two-factor authentication mechanism in nextcloud on Raspberry Pi 4!
I want to use nextcloud from the Internet.
But if password is leaked, data can be seen …
Is there any way to avoid it?
I heard two-factor authentication is useful.
You can find solution after reading this post.
What is two-factor authentication?
As you know two-factor authentication is a method which strengthen security.
Normal authentication requires you to enter password which corresponds to your username.
This is based on the concept shown below.
– Only 1 person (usually yourself) knows your password.
However, as you can see in the news, there are many cases that sensitive data including password are stolen.
The most recent was Spotify.
Therefore, password based authentication is not enough and we need to think about additional authentication.
Doing that is safer than now even if password is leaked.
Majority of realizing this is so called two-factor authentication , which is non fixed password authentication.
There are various instance of realizing two-factor authentication.
The major method is to display one-time password on your smartphone app and input it to the authentication field.
The one-time password is valid on short time.
– usually 1 minute
So even if attacker steals one-time password, it cannot be used because valid period of one-time password is very short.
This is based on the following concepts:
– Password ( I know authentication )
I know the password which only the user to be authenticated knows
-> system can treat me as user
Other example: secret question (maiden name of mother, or others)
– Smartphone app ( I have authentication )
I have the smartphone which only the user to be authenticated has
-> system can treat me as user
Other example: fingerprint authentication
You might have seen a site that requests you to set an additional password used in two-factor authentication.
But this means that you have setup two “I know authentication” in terms of shown above.
This increases security of course, however to use “I have authentication” such as smartphone apps or fingerprints (or others) is more secure.
In this post I will show two-factor authentication with smartphone app to nextcloud.
Installing two-factor authentication in nextcloud
This is easy.
Just install application in nextcloud.
I will show you to put an app called Two-Factor TOTP Provider .
– You can find other apps, you can choose any of them.
Angainor’s two-factor authentication hardware uses the new Raspberry Pi board alongside a Pimoroni RGB Keypad and Display Pack.
We believe that having a strong password is more than enough to keep your account and data safe. However, with the rise in cyber crimes, two-factor authentication has become essential. As the name suggests, 2FA has two layers of verification other than the password alone. Angainor has designed a MicroPython implementation of user-friendly, Raspberry Pi Pico-based hardware to handle many 2FA keys, reducing the pain of finding the right pin on the Google authenticator.
Apart from the Pico board, Angainor’s setup consists of Pimoroni’s Pico RGB Keypad Base and Pico Display Pack, as well as a DS3231 Arduino module. For hardware wiring, refer to the project logs on Hackaday .
As the official MicroPython does not support Pimoroni C libraries for Pico add-ons. Also, the support for user C modules is broken and the fork does not have SHA256. “I ended up handling yet another fork, based upon the official MicroPython with user C modules re-enabled, SHA256 and Pimoroni libs,” Angainor notes.
With an excellent performance by the Pico, the challenge was to figure out the configuration of the keypad base and Pico display with the same Raspberry Pi Pico. Thanks to the use of reference documents for RP2040, it was possible to connect the Pico add-ons with some tweaks.
The project can display the correct two-factor authentication TOTP code from a key with DS3231 RTC as a clock source. To continue modifying, we can expect some software upgrades in the coming days.
More details on the project are available on Angainor’s page .
Table of Contents
AnyDesk provides Two-Factor Authentication (2FA) for unattended access connections to a specific AnyDesk client as well as for access to the MyAnyDesk customer portal.
Note: The use of this feature requires an authentication app that supports “time-based one-time passwords” (TOTP).
To require a 2FA verification code when connecting to your client using Unattended Access, the following steps need to be completed:
Settings & Setup
- Enable “Enable Two-Factor Authentication” in Settings > Security > Permissions.
- A prompt will appear where the user can scan the QR-Code or paste the key into one of our recommended authenticators.
- Enter the authorization code from the authenticator and click “Enable authorization”.
If the correct authentication code is given but the “Enable authorization” button remains grayed out, please make sure that the times on both authenticator and AnyDesk device are synchronized. As the verification codes are time-based, they will not authenticate if the times are asynchronous.
Establishing a session
When connecting to an AnyDesk client with 2FA enabled, a 6-digit authorization key from the authenticator is requested directly after the unattended access password is manually or automatically submitted.
Two-Factor authentication for MyAnyDesk can be activated in Settings > General > Two-factor authentication of your MyAnyDesk customer portal.
Print or save the recovery key in a secure location in order to restore access your account when needed.
DO NOT PROCEED WITHOUT SAVING OR PRINTING THE RECOVERY KEY.
The recovery key cannot be retrieved or reset.
In the event that you lose access to your authentication device and do not have access to the recovery key, please contact AnyDesk Technical Support.
Recommended authenticator apps
The following authenticator apps are tested and recommended for use with AnyDesk:
- Google Authenticator
- Microsoft Authenticator
Setup a company mobile phone, tablet or PC with 2FA for unique access so that only your employee can access the office computer.
Additionally, you can set up multiple authentication devices t by scanning the same QR code with more than one authenticator.
Limit the access to selected devices like your servers to only the person that has the authentication device.
The Internet of Things is mostly about bringing Things to The Internet, but it’s also about bringing The Internet to Things. Two-Factor Authentication (2FA) has been offered by mission critical services websites like bank accounts or Bitcoin wallets for some time now, providing an additional layer of security beyond just a password. Since resin.io is all about crossing the gap between the internet and the real world we decided to put this concept into action by building a safe-deposit box that requires 2FA to open.
By combining resin.io with Twilio’s Authy, we got to do this with a very simple deployment system —git push resin master— and a very easy way to add the 2FA mechanism.
Safes and lockers are usually opened by a key or by tapping in a code on a numeric keypad. We’ve come up with an alternative approach that combines a numeric code with an SMS sent via Authy to the user’s phone, which means that opening the safe involves having both the code and the mobile phone.
We used a Raspberry Pi 2 and a little circuit on a protoboard. The lock itself is a 5V solenoid.
The Pi runs a node.js server which performs authentication via a simple web interface. We use Authy to provide the 2nd factor authentication and resin.io to allow ultra-simple code deployment.
The procedure to lock and unlock the safe is as follows:-
- The user inputs their email.
- If it’s a new user, they’re asked for a phone number.
- The UI asks for the user’s code to lock the safe.
- When the code is inputted by the user, the lock is engaged.
Once this is done, to open the safe:-
- First, the user has to input the correct code.
- After inputting the code, Authy sends an SMS to the user.
- The user inputs the SMS code, and the lock opens.
- The lock only opens for a few seconds, but it can be opened again by pressing the ‘Open’ button on the UI.
When you use the UI on your phone, you’ll usually be able to input the SMS code when it arrives as it will appear in your phone’s notification area.
And this is what the unique experience of opening our safe looks like:-
The circuit schematic for the solenoid driver looks like this:-
(You can also find it on Upverter)
And this is how we assembled the solenoid driver on the protoboard:-
Cybersecurity, Automotive Security, Antimalware Software, Product Management, Agile, Lean and Secure Software Development, SSDLC
Posted By: Sorin Mustaca April 9, 2013
I am a big fan of RPi and I allowed one of my RPis (I have 3) to be accessible from the Internet via SSH. But, I was stressed because somebody might do a DoS on my device with the intent to hack into it and this way would prevent me to access it.
So, wanting to secure it, I researched a bit how to enable two-factor authentication for SSH. I donвЂ™t want expensive SMS services, actually I donвЂ™t want to pay anything at all.
I found some great tutorials on the net, and here is my take on how to enable this great service via GoogleвЂ™s open-source Authenticator.
Google provides the necessary software to integrate Google AuthenticatorвЂ™s (GA) time-based one-time password (TOTP) system. You can couple GA with an SSH server. After this, youвЂ™ll have to enter the code from your phone when you connect additional to the username and password.
GA doesnвЂ™t connect to Google as far as I can see in the code https://code.google.com/p/google-authenticator/.
You will have to use the PAM module which is available in RaspbianвЂ™s repository. The PAM moduleВ can add a two-factor authentication step to any PAM-enabled application. It supports:
- Per-user secret and status file stored in user’s home directory
- Support for 30-second TOTP codes
- Support for emergency scratch codes
- Protection against replay attacks
- Key provisioning via display of QR code
- Manual key entry ofВ RFC 3548В base32 key strings
Here is how to enable it:
1.Install the lib and the program
# sudo apt-get install libpam-google-authenticator
Reading package lists… Done
Building dependency tree
Reading state information… Done
The following extra packages will be installed:
The following NEW packages will be installed:
В libpam-google-authenticator libqrencode3
0 upgraded, 2 newly installed, 0 to remove and 27 not upgraded.
Need to get 56.8 kB of archives.
After this operation, 181 kB of additional disk space will be used.
Do you want to continue [Y/n]?
Get:1 http://mirrordirector.raspbian.org/raspbian/ wheezy/main libqrencode3 armhВ В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В f 3.3.0-2 [31.8 kB]
Get:2 http://mirrordirector.raspbian.org/raspbian/ wheezy/main libpam-google-autВ В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В henticator armhf 20110413.68230188bdc7-1.1 [25.0 kB]
Fetched 56.8 kB in 0s (102 kB/s)
Selecting previously unselected package libqrencode3:armhf.
(Reading database … 93376 files and directories currently installed.)
Unpacking libqrencode3:armhf (from …/libqrencode3_3.3.0-2_armhf.deb) …
Selecting previously unselected package libpam-google-authenticator.
Unpacking libpam-google-authenticator (from …/libpam-google-authenticator_2011В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В В 0413.68230188bdc7-1.1_armhf.deb) …
Processing triggers for man-db …
Setting up libqrencode3:armhf (3.3.0-2) …
Setting up libpam-google-authenticator (20110413.68230188bdc7-1.1) …
2. Start the GA program and set it up
Note that I marked with heading two the answers which I provided to the tool.
Google Authenticator will present you with a secret key and several вЂњemergency scratch codes.вЂќ Write down the emergency scratch codes and keep them safe because they can only be used one time each, and theyвЂ™re intended for use if you donвЂ™t have your phone at hand.
Your new secret key is: K4QP6XXXXXXXXJLQ
Your verification code is 280506
Your emergency scratch codes are:
Do you want me to update your “
/.google_authenticator” file (y/n) y
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) y
If the computer that you are logging into isn’t hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y
Now comes the interesting part: enable the authentication process.
3. Set up the app on your mobile
Enter the secret key in the Authenticator app on your phone (official apps are available forВ Android, iOS, and even Blackberry). I personally love the scan barcode feature вЂ“ go to the URL located near the top of the commandвЂ™s output and you can scan a QR code with your phoneвЂ™s camera. After this, you will see the following in your app (here on iOS):
Note that I have two codes. The first one is from GoogleвЂ™s two-factor authentication for their services and the second one is for RPi.
4. Activate GA to work with the PAM module and SSH
Open the/etc/pam.d/sshdВ file on your system (for example, with theВ sudo nano /etc/pam.d/sshdВ command or just use mc) and add the following line to the file:
#auth required pam_google_authenticator.so
Open theВ /etc/ssh/sshd_configВ file, locate theВ ChallengeResponseAuthentication line which is set by default to вЂњnoвЂќ, and change it to “yes”:
Finally, restart the SSH server so your changes will take effect:
#sudo /etc/init.d/sshd restart
Do not close the active ssh window if you have one. If something went wrong then you can quick debug it. Open a new ssh window instead.
5. Test your service
login as: sorin
Using keyboard-interactive authentication.
Using keyboard-interactive authentication.
Verification code: 123456
ThatвЂ™s it. I hope it works out of the box and you can enjoy your Raspberry Pi in safety.
Introduction: Securely Access Your Pi From Anywhere in the World
I have few applications running round the clock on the Pi. Whenever I got out of my house, it became very difficult to check on the Pi’s health and status. I subsequently overcame the minor hurdle using ngrok. Accessing the device from outside gives rise to questions of security which I dealt with by enabling the 2FA (2 factor authentication) or 2 step authentication. So here are the steps below for you to access your Pi from outside with an added layer of security.
Step 1: Video Guides
Some prefer written material and some video guides. If you are one among the many who prefers a video guide check out these videos for step-by-step instructions.
Step 2: Prep Ngrok
Open a terminal on your Pi and run the following commands one after the another to download and prep the ngrok application
Now you should have a folder labeled ngrok on the /home/pi/ directory.
Optionally, you can remove the original downloaded zip file to save some space
Now get the additional files to help you setup ngrok as a service
Step 3: Step Ngrok
Head over to ngrok’s website and sign in. If you don’t have an account, signup for one.
On your ngrok dashboard and under the authentication tab, you should find your Authtoken like how its shown below.
On a terminal on your Raspberry Pi, run the following to setup your authtoken.
You should get an acknowledgement like shown below.
Copy the tunnels from the sample ngrok configuration file (ngrok-sample.yml) in the /home/pi/ngrok-service/ folder.
Open the default configuration file using:
Paste the tunnels that you just copied from the sample. Feel free to remove the other tunnels that you may not need other than the SSH.
Now verify if the tunneling is working by starting the ngrok application using
Step 4: Setup Ngrok As Service
Run the commands one after the another to setup ngrok as service
Temporarily stop ngrok service untill the two factor authentication setup is completed.
Step 5: Setup Two Factor Authentication
Enable SSH if not already done using:
Enable two factor challenge. Open ssh config using:
Change ChallengeResponseAuthentication from the default no to yes.
Save the config file and exit.
Step 6: Configure Google Authenticator
Install google pluggable google authentication module
Run the following to start authenticator module
Download Google Authenticator app on your mobile and link the PAM module by scanning the QR code on screen.
Configure PAM to add the two factor authentication.
Add the following line to the beginning
This can be added below or above @include common-auth
Step 7: Restart Ssh and Ngrok
Restart the services
And that is a wrap
Be the First to Share
Did you make this project? Share it with us!
Raspberry Pi-based compute modules are often used as edge devices to send signal and other sensor-derived data (temperature and humidity data) to the cloud using Azure IoT Edge and IoT Hub. Azure CLI and Azure Portal to deploy the Azure IoT Edge are the paths used for this use case.
The basics of how to connect a Raspberry Pi device to IoT Hub are described in the cited Microsoft Documentation.
The Raspberry Pi Forum carries an actual use case for handling signal data between an edge device and IoT Hub. This step by step tutorial is based around a Raspberry Pi 3 Model B+ in use with a light emitting diode panel in this described use case with the objective of sending signals to the diode panel from the cloud. The prerequisites for this set up are a Raspberry Pi 3 Model B+, an Azure account, Azure CLI and the Azure IoT CLI extension. We are citing and highlighting this use case here.
Azure IoT in the project
First, a device identifier needs to be created and then it needs to be authenticated in IoT Hub. The use of the Add Edge Enabled option connects the Raspberry Pi to the Azure IoT Edge. The latest version of Azure CLI also needs to be installed so that the appropriate commands can be run.
Then a gateway for connecting all the edge devices to Azure IoT has to be created. Then identifiers need to be created for the Raspberry Pi and a device. After this, a specific device connection string is created which should be recorded for later use.
Raspberry Pi in the project
With Azure IoT Edge modules working as containers, the Raspberry Pi is connected to both Azure IoT Hub and Azure IoT Edge. Then, Docker should be installed on the Raspberry Pi followed by the Azure IoT Edge runtime daemon.
Next, the device should be connected to Azure IoT Hub followed by a restart of the IoT Edge daemon and status check. When all this has been completed successfully, an Azure IoT module can be deployed for managing the IoT device, in this case the light-emitting diode panel. Once the Azure IoT custom module is deployed through the Azure portal, a container can be deployed as a module through it. This assumes that a Docker image has already been created and saved in the Docker Hub. From the IoT Edge Custom Modules section, the module can be named and the container can be run.
OTA updates for Azure devices based on Raspberry Pi
Mender integrates for OTA updates with both Azure IoT Hub for device credentials sharing and supports the preparation of the Raspberry Pi with a Raspberry OS distribution.
The best place to do a test of the Azure – Mender integration for OTA software updates to devices in the IoT Hub is to sign up for a new Mender Enterprise Free trial and all features and add-ons are available for 12 months for free; and refer to the Github documentation on the existing integration.
We are currently working on making major enhancements to the Azure IoT Hub – Mender integration. This will help Mender users get more efficiency, productivity and insights from device provisioning and inspection, from using the two systems together.
If you would like a sneak preview of these upcoming integration improvements, please visit our preview page and leave your email address for updates.
To learn about device updating and device provisioning in Azure IoT, check our the following articles:
In Nextcloud, there is the option to set up Two Factor Authentication. The steps you have to follow in order to use it are the following:
- Install TOTP app on Nextcloud.
- Enable TOTP on Personal Settings , under TOTP second-factor auth section. A QR code will show up.
- Install andOTP on your android phone (you can use any TOTP client you want, andOTP is available in F-droid)
- Scan the QR code that is shown in step 2 with andOTP .
- andOTP and Nextcloud are merged and now every 30 seconds a new TOTP password is generated.
Now when you log in you will be prompted, in a second step, to type a TOTP password. Type the password shown in the andOTP app.
You must add App Passwords to generate a password for every app that needs access to your Nextcloud account.
Example: Nextcloud Desktop / Mobile Client, DavDroid app, Notes App (Mobile), etc.
To add an App Password do the following.
- Navigate to Personal settings, under Settings section (here you will see every application that has access to your Nextcloud Account). Scroll until you find App passwords .
- Fill in the box that says App name with the application’s name that you want to use (use a name that is convenient and it is distinguished from other apps).
- An Application Password is now generated and displayed in a gray box. Type this password (and the your username) on the application you want to use. After you log in hit Done .
Note: After you type Done , the password will never be revealed again. You may want to use a password manager to save this password, or create a new App Password every time you loose a password
After setting up your Raspberry Pi , you may not need a display for it. When it comes time for maintenance tasks, like upgrades and reboots, you can use Secure Shell (SSH) instead of plugging in a monitor. We’ll show you how.
What Is SSH?
SSH, often typed all in lower case, stands for Secure Shell. It allows you to remotely connect to a server or system from another device using encrypted communications .
The primary benefit of SSH is the encryption itself. With less secure remote login protocols, such as FTP , everything is sent in plain text. A hacker can sniff out those communications and log things like usernames and passwords. Since SSH is encrypted, that’s no longer possible.
RELATED: What Is Encryption, and How Does It Work?
Before You Turn On SSH, Mind Your Security
Turning on SSH is easy, but let’s not get ahead of ourselves. First, you’ll want to make sure your Raspberry Pi is secure. That starts with the password for your user account.
When you first set up your Raspberry Pi, you should have been prompted to change your user account password. If you did not, you need to do so now. Open the terminal, then enter the passwd command.
You’ll be prompted to enter your current password, then choose a new one.
RELATED: 10 Ways to Generate a Random Password from the Linux Command Line
Discover the IP Address or Hostname for Your Raspberry Pi
You’ll also need to know the hostname or IP address of your Pi. From the terminal, type:
This will provide the IP addresses for your Raspberry Pi. There could very well be several listed if you are connected both through Wi-Fi and Ethernet. Most of the time, the address you want will begin with 192.168 . Make note of the address or hostname for later.
With that out of the way, we can turn on SSH.
RELATED: How to Setup Wi-Fi On Your Raspberry Pi via the Command Line
Option 1: Enable SSH Through the Desktop
One way to turn on SSH is through the Raspberry Pi graphical configuration app. Just click the Raspberry icon in the top left corner of the screen, then click “Preferences.” Click “Raspberry Pi Configuration.”
In this app, click the “Interfaces” tab and look for “SSH.” Click the “Enable” radio button, then click “OK” to close the app.
Option 2: Enable SSH From the Terminal
Another method to enable SSH is from the terminal itself, command-line style. Type this command to enter the text-based configuration tool for your Raspberry Pi:
Use the arrow keys on your keyboard to select “Interfacing Options,” then press the Enter key.
Select “P2 SSH” and press Enter.
When asked, “Would you like the SSH server enabled,” choose “Yes.” Press Enter again at the confirmation box, “The SSH server is enabled. Navigate down and select “Finish.”
Disable SSH Root Login
Once you’ve enabled SSH, there is another optional but highly recommended task. Leaving your root user able to SSH into your Raspberry Pi is a security risk, so we recommend disabling root login through SSH. Remember, you can always issue administrative commands from your regular user with sudo .
In your Terminal window, enter this command:
Now, find this line:
Note: The line in the configuration file could also read #PermitRootLogin yes .
Edit the line to read as follows:
Save and close the file by pressing Ctrl+X, then Y . Now, you should reboot the SSH server with this command:
There are other steps you can take to secure your SSH server even further, so be sure to consider how at-risk your Raspberry Pi can stand to be.
Log Into Your Raspberry Pi From Another Computer
Once those steps are complete, you’re ready to log into your Raspberry Pi from any computer on your local network . With the IP address or hostname you noted earlier, you can ssh into your Pi. That’s done using this command from your other computer:
If your Raspberry Pi’s address is 192.168.0.200 , for example, it will look like this:
The first time you ssh into your Pi, you’ll be asked to accept the encryption key. Just press Y , and you’ll connect and be prompted to enter your password. That done, you’ll be logged into the Raspberry Pi and can do whatever tasks you need.
In addition to issuing commands, you can also use SSH for other purposes , such as to tunnel your traffic, transfer files, mount remote file systems, and more. If you’re concerned about security with your Pi, consider setting up two-factor authentication .
RELATED: How to Set Up Two-Factor Authentication on a Raspberry Pi
You can set up the SAASPASS password manager for thousands of websites and services, including raspberrypi.com to autofill and autologin to them from both your computer & mobile phone. It is a great way of dealing with all the complexities of the web. In addition, you can add the Authenticator format of multi-factor authentication quite easily as well from within your password manager. In fact, we can also autofill & autologin both your password credentials and the Authenticator codes as well!!
Free Password Manager for Personal Use
The SAASPASS for raspberrypi.com password manager is free for personal use and can be used on multiple devices as well.
SAASPASS password manager can be supported on multiple devices including tablets like the iPad. You can have all your password managers on two or more devices. You can also control your multiple devices with device management. The ability to do a remote wipe is very handy especially if you have it on more than two devices. You can remotely remove your SAASPASS from a discarded or even (heaven forbid) a stolen device. Access to your SAASPASS is always protected by biometrics like Touch ID or your customizable PIN.
If you have SAASPASS on multiple devices, your details will be automatically synced across them to eliminate the pain of multiple entries on all your devices.
Backup & Restore
You can create backups through establishing Recovery and later on restore your SAASPASS. This comes in quite handy especially if you change or lose devices. It eliminates the pain of keeping notes and backup codes and then reestablishing them.
Change Display Name
You can change the display name of your password manager from within the password manager details.
You can alter the order of all your Authenticator(s) and the even all the sections by clicking on the edit icon in the top left corner of your SAASPASS app.
You can delete your personal services and data including your password manager(s) by going to the Erase My Data section under SETTINGS in your SAASPASS app.
Enterprise Password Manager
The SAASPASS enterprise password manager can be used in the corporate environment. It is available on a freemium basis (pricing listed here). In addition to providing enterprise-grade password management, SAASPASS allows corporations to secure access to websites, services and accounts with multi-factor authentication. The enterprise password manager also comes with a number of convenient features that include sharing access to teams (or 3rd parties even) without ever sharing passwords. This even includes websites and services that the Authenticator (TOTP) has been added to in addition to the username/password.
Two-factor authentication for enterprises is available in a number of formats including the SAASPASS mobile app, hard tokens and USB tokens that support the HOTP and TOTP standards, and FIDO U2F tokens that also include Yubico’s YubiKey.
The SAASPASS raspberrypi.com password manager comes with a number of features:
- Autofill & Autologin on your computer with the browser extension from the web portal
- Autofill & Autologin on your computer with the browser extension from the SSO Client
- Autofill & Autologin within the mobile app
- Secure your passwords with two-factor authentication & add the Authenticator to it where possible
- Can be coupled with the Authenticator for Autofill & Autologin on both the mobile & computer
- Ability to customize the Display Name of your Password Manager
- Multifactor Authentication Support
- You can clone/sync your password manager onto multiple devices
- Ability to remotely delete other devices
- Backup and Restore capabilities in case you lost your device
- Backup and Restore capabilities turned off permanently
- Advanced recovery capabilities with mobile phone number verification AND custom recovery set up (Bring Your Own Question and Answer – BYOQ & A)
- Enterprise password management
- Sharing of access with teams without sharing of passwords & Authenticator codes
- Sharing of access with teams without sharing of passwords
- Enterprise password management with Multi-Factor Authentication login
- Enterprise password management support with FIDO U2F support
- Yubico’s YubiKey tested & verified
- Enterprise password management with Hard Token (both HOTP/TOTP)
- Secure SIngle Sign On (SSO)
- More than 8000 predefined websites and services & more added everyday
- Logos for most of the popular websites
- Copy/Paste capabilities with auto copying for external browsers
- Touch ID support
- Scrambled Keypad support (to prevent shoulder surfing)
- Pattern Unlock (both visible & invisible) support on Android devices
- Ability to change PIN length
- Secure Notes – an encrypted secure notepad to store private notes etc.
- Main Menu that you can customize
- Mobile Password Generator included with copy/paste capabilities
- Desktop Password Generator
- Never needing to remember passwords
- . & much much more
For your computer download one of our browser extensions
Twitter Icon Twitter Icon
Linkedin Icon Linkedin Icon
Blog Icon Blog Icon
Checkmark Icon Checkmark Icon
Small Checkmark Icon Small Checkmark Icon
Small Checkmark Icon Small Checkmark Icon
Clock Icon Clock Icon
Cloud Icon Cloud Icon
Cloud Upload Icon Cloud Upload Icon
Compass Icon Compass Icon
Medium count 1 Icon Medium count 1 Icon
Medium count 2 Icon Medium count 2 Icon
Medium count 3 Icon Medium count 3 Icon
Medium count 4 Icon Medium count 4 Icon
Medium count 5 Icon Medium count 5 Icon
Medium count 6 Icon Medium count 6 Icon
Medium count 7 Icon Medium count 7 Icon
Medium count 8 Icon Medium count 8 Icon
Medium count 9 Icon Medium count 9 Icon
Medium count 10 Icon Medium count 10 Icon
Medium count 11 Icon Medium count 11 Icon
Medium count 12 Icon Medium count 12 Icon
Medium count 13 Icon Medium count 13 Icon
Medium count 14 Icon Medium count 14 Icon
Medium count 15 Icon Medium count 15 Icon
Device with a checkmark Icon Device with a checkmark Icon
Device Icon Device Icon
Documentation Icon Documentation Icon
Dollar Sign Icon Dollar Sign Icon
Extend Icon Extend Icon
Eye Icon Eye Icon
Gear Icon Gear Icon
Globe Icon Globe Icon
Graph Icon Graph Icon
Guidelines Icon Guidelines Icon
Laptop Icon Laptop Icon
Layers with checkmark Icon Layers with checkmark Icon
Key Icon Key Icon
Lock Icon Lock Icon
Paper Airplane Icon Paper Airplane Icon
Pencil Icon Pencil Icon
Phone Icon Phone Icon
Reliability Icon Reliability Icon
Reset Icon Reset Icon
Shield with Checkmark Icon Shield with Checkmark Icon
Timer Icon Timer Icon
Tools Icon Tools Icon
Tutorial Icon Tutorial Icon
Upload Icon Upload Icon
User with Checkmark Icon User with Checkmark Icon
User Icon User Icon
Wallet Icon Wallet Icon
Case Study Icon Case Study Icon
Video Icon Video Icon
Webinar Icon Webinar Icon
White Paper Icon White Paper Icon
SSH Locked Down
SSH Two-Factor Authentication: Lock your machines with certificates + security codes
30 second installation
Forget those complicated installation procedures. It takes 30 seconds from start to finish to add Authy Two-Factor Authentication to your SSH.
We know passwords are not safe, we designed Authy SSH to work best with authorized keys.
Mobile Apps or SMS
Someone in your organization doesn’t have a smartphone? We got you covered. Authy SSH can send them the token via SMS or a phone call. The rest can install the Authy App for free right to their phones (it even works while your offline).
Watch the Video
- Get your Authy API Key at: https://www.twilio.com/try-twilio.
- Get the code: https://github.com/authy/authy-ssh
- Install it:
- Enable it:
- Test it:
- Restart your ssh server:
SCP stopped working
Currently SCP breaks, we’re working on a way to fix it
Is there a way to disable SMS?
Yes, if you’d like to disable SMS altogether send us an e-mail to [email protected] . We’ll take care of it.
How does Authy SSH works?
We use the forced-command directive to run our plugin when the user is logging in. After we verify the token we return a shell to the user.
You can easily add SSH Two-Factor Authentication to all of your machines in an instant. It works great with chef or puppet.
Certificates can be stolen remotely from your machine, but stealing your physical phone is harder. Two-Factor brings a whole new layer of security to your SSH access.
Authy is simple all the way, from the installation to the mobile app’s. We take care of all the little details so you can just relax.
After setting up your Raspberry Pi, you may not need to display it. When it’s time for maintenance tasks, like upgrades and reboots, you can use Secure Shell (SSH) instead of connecting a monitor. We’ll show you how.
What is SSH?
SSH, often written all in lowercase, stands for Secure Shell. It allows you to connect remotely to a server or system from another device using encrypted connections.
The primary benefit of SSH is the encryption itself. With less secure remote login protocols, like FTP, everything is sent in plain text. A hacker can discover those connections and log things like usernames and passwords. Since SSH is encrypted, this is no longer possible.
Related: What is encryption and how does it work?
Before turning on SSH, consider your security
Turning on SSH is easy, but let’s not get ahead of ourselves. First, you’ll want to make sure that your Raspberry Pi is secure. This starts with the password for your user account.
When you first set up your Raspberry Pi, you should be prompted to change your user account password. If you haven’t, you need to do it now. Open the device, then insert a file passwd Command.
You will be asked to enter your current password, then choose a new one.
Related: 10 Ways to Generate Random Password from Linux Command Line
Find out the IP address or hostname of your Raspberry Pi
You will also need to know the hostname or IP address of your Pi. From the terminal, type:
This will provide the IP addresses for your Raspberry Pi. There may be several menus listed if you are connected via Wi-Fi and Ethernet. Most of the time, it will start the address you want 192.168 . Make a note of the address or hostname later.
In this way, we can run SSH.
Related: How to set up Wi-Fi on Raspberry Pi via command line
Option 1: Enable SSH through the desktop
One way to turn on SSH is through the Raspberry Pi graphical configuration application. Simply click on the Raspberry icon in the upper left corner of the screen, then click on Preferences. Click “Configure Raspberry Pi.”
In this application, click on the “Interfaces” tab and search for “SSH”. Click the Enable radio button, then click OK to close the application.
Option 2: Enable SSH from Terminal
Another way to enable SSH is from the terminal itself, command line style. Type this command to enter the text-based configuration tool for your Raspberry Pi:
Use the arrow keys on your keyboard to select “Interfacing Options,” then press the Enter key.
Select “P2 SSH” and press Enter.
When asked, “Do you want to enable an SSH server,” choose Yes. Press Enter again on the confirmation box, “SSH server is enabled. Scroll down and select Finish.”
Disable SSH Root login
Once you enable SSH, there is another task that is optional but highly recommended. Leaving your root user able to SSH into your Raspberry Pi is a security risk, so we recommend disabling root login through SSH. Remember that you can always issue administrative commands from your normal user using sudo.
In the Terminal window, enter this command:
Now, look for this line:
Noticeable: The line can also be read in the configuration file #PermitRootLogin yes .
Edit the line to read as follows:
Save and close the file by pressing Ctrl + X, then Y . Now, you should restart your SSH server with this command:
There are other steps you can take to further secure your SSH server, so be sure to consider how vulnerable your Raspberry Pi is.
Log in to your Raspberry Pi from another computer
Once these steps are complete, you’ll be ready to log into your Raspberry Pi from any computer on your local network. Using the IP address or hostname you registered earlier, you can ssh in your Pi. This is done using this command from your other computer:
If your Raspberry Pi address is 192.168.0.200 For example, it would look like this:
your first time ssh On your Pi, you will be asked to accept the encryption key. just click Y , a connection will be made and you will be asked to enter your password. After doing that, you will be logged into your Raspberry Pi and can do any tasks you need.
In addition to issuing commands, you can also use SSH for other purposes, such as tunneling your traffic, transferring files, loading remote file systems, and more. If you’re concerned about the security of your Pi, consider setting up two-factor authentication.
Related: How to set up two-factor authentication on Raspberry Pi
on 17 June 2021
- Share on:
What is 2-factor authentication (2FA)?
Two factor authentication (2FA) increases your account security further than just using a username and password. In addition to a password (the first factor), you need another factor to access your account. A great example to demonstrate this is when you withdraw money from an ATM. To access your bank account you need both your physical bank card and to know your PIN number. These are the two factors you need to withdraw money = 2 factor authentication!
Common ways to provide this extra level of security are a specific application on your phone or computer, a physical security key/USB (Yubikey, for example), or a smart card. By using more than one of these factors, you can greatly increase the security of your account or system.
2-factor authentication and Ubuntu One SSO
Ubuntu One Single Sign-On (SSO) has supported 2FA since 2014. The ubiquitous OATH (Initiative for Open Authentication) protocol is supported, using open standards to promote stronger security and authentication. Using open standards means that a wide range of devices and applications can be used as a second factor. This includes phone and desktop applications like 1Password, Authy, Authenticator and countless more. This also includes hardware devices from Yubikey, Feitian and others, and even some terminal applications such as oathtool. Thanks to OATH’s simplicity, even a list of numeric codes can be used as a valid device. These codes could, for example, be printed on a sheet of paper and stored securely for use in an emergency or as a backup device
The basics of the workflow, mechanics and code in Ubuntu One SSO are solid, proven, and used by hundreds of people every day. Despite the above, 2FA in Ubuntu One SSO has remained in closed beta for more than 7 years. The one thing that was lacking was a comprehensive code recovery experience to prevent lockouts
Why code recovery?
A downside of 2-factor authentication is that, should the code-generating device(s) be lost, misplaced, broken or misconfigured, the user will be unable to enter a 2-factor code and thus will be denied access to their account.
As 2FA entered beta testing, it was primarily used by Canonical employees. In this situation, the company has verified mechanisms for identity validation and device reset. However, as the pool of testers expanded to include security-minded, community members and external users, we realized it wasn’t as easy to provide an analogous recovery mechanism. Since we don’t have any verifiable information identifying the user or linking them to their account, there was no way to establish ownership of that account. Despite an email address being a reasonable method of linking a user to their account, 2FA operates under the assumption that an email address could be compromised. As a result, in practice, users who get locked out of 2FA effectively lose their accounts.
What are we doing about this?
After many years in beta, we have created a comprehensive code recovery experience. Following this, we are happy to announce that we will be implementing 2FA for all Ubuntu One accounts. This change is coming in the next few weeks, so keep your eyes peeled for instructions on how to enable 2FA for your account. With a reliable backup mode of authentication, lockouts should be a thing of the past.
In the meantime, if you want to read more about secure IoT and Desktop solutions, check out the links below!
Photo by Alberto Barrera on Unsplash, taken at Lago de Garda, Italy.
From what I’ve read, it is possible to set up 2-factor authentication on the RPi , but this is a rather tedious thing to install if access from random computers is infrequent (i.e. I mainly access the RPi from my own personal machines, but occasionally from other computers where I have no idea what’s running).
My question: Is it possible to set it up, so that I can add my netbook as a “trusted” computer? In case it matters, I’m running the latest version of Raspbian.
2 Answers 2
it’s not like you log in to your raspberry from random computers in inet cafes and libraries?
then, from my point of view, you should generate RSA keypair on your computer:
copy the public part to your raspi
disable password authentication by
and forget about this authentification issue because I’ve never heard about anyone had their computer hacked over SSH with only RSA keypair auth enabled.
Problem solved: There are 2 options (I went for option 2): 1. Run 2 SSH daemons, each configured to listen on a different port and then by editing /etc/ssh/sshd_config appropriately, you can configure which authentication methods you can use. 2. Update Raspbian Wheezy SSH server with that of Jessie (which supports the “localport” attribute), by adding it to the apt-repository (don’t forget to do apt-get update before trying to install the new SSH server. ). Then edit your sshd_config file by including the match directive:
Just make sure that the sshd is listening on both ports XX and YY.
Not the answer you’re looking for? Browse other questions tagged ssh remote or ask your own question.
Hot Network Questions
To subscribe to this RSS feed, copy and paste this URL into your RSS reader.
site design / logo © 2022 Stack Exchange Inc; user contributions licensed under cc by-sa. rev 2022.1.21.41235
HomeDrive runs on 64-bit Raspberry Pi. You can self-install it on your existing 64-bit Raspberry Pi for free. It works on both Raspberry Pi 3 and 4, but we suggesting using a Raspberry Pi 4 for more acceptable Nextcloud performance.
Raspberry Pi 2 or earlier is not supported, as they are 32-bit only.
- A Raspberry Pi 3 or 4 with power cable
- A computer that can flash a micro SD card.
- A micro SD card that is at least 16GB.
- An Ethernet cabel network that provides Internet connectivity. This is normally your home network router.
- A monitor with HDMI and a keyboard, or alternatively serial console connector via Raspberry Pi’s GPIO pins.
- Create an endpoint on HomeDrive website. This endpoint account will be used for fetching future HomeDrive software updates, and also for establishing the end-to-end encrypted proxy tunnel so that you can visit your HomeDrive from the Internet. The endpoint account name is a sub domain label.
- Download the image here and flash it to the SD card. You can use a tool like Balena Etcher.
- Plug the SD card into the Raspberry Pi board.
- Plug in the monitor and the keyboard (or connect the serial console).
- Connect the board to the Internet via an Ethernet cable.
- Connect the board to its power and boot it up.
- Wait until you see the burmilla$ prompt on the console.
- Run sudo /opt/homedrv/install .
- When prompt for the endpoint’s name, enter the endpoint name that you created.
- It will then ask you for the one-time installation code. You can find the code on the endpoint’s page. If the code has expired or about to expire, you can click the button on the endpoint’s page to receate a new one.
- After filling in the endpoint’s name and the one-time installation code, it will start the installation. Depending on the performance of the board, the SD card and the network, it might take 10 to 40 minutes to complete the full installation.
You can track the installation progress with this command: docker logs –follow core.homedrv (and press Ctrl-C to exit following at any time).
After HomeDrive is successfully installed, you can visit it at domain your-endpoint.homedrv.com (or your-endpoint.homedrv.eu for ones in the Europe region). The installation generates a password with random characters, and you can find the password on the endpoint’s page. The username is admin .
After installation, please change your Nextcloud password and set up some form of 2-factor authentication. Since your Nextcloud is exposed to the Internet, setting up 2-factor authentication is very important to keep your service and data secure.
The keyboard and the monitor will be no longer needed after the installation.
If you need help, feel free to chat with us using the chat bottom on the bottom right corner, or send us an email at [email protected] .
If you still find these steps too complicated to follow, you can buy a preinstalled HomeDrive device.
Low cost VPN solution with Two-Factor Authentication on a Raspberry Pi
If you feel the need to protect your Internet connection because for example you are in a Hotel or a Library that offers unsecured wireless access to Internet or simply because you want to add a layer of encryption to your Internet mobile connection, it is time to think on a VPN solution.
Today for a few dollars per month you can have a VPN server up and running in less than an hour. For instance, Digital Ocean for 5$ per month helps you to set up your own VPN service (more info). This is $60 a year, not bad if you don’t want to worry about maintenance.
Another solution is to use your own Home Internet connection, usually routers include a friendly way to create a VPN service with username and password. ASUS Routers offers the option of activate an OpenVPN server, the configuration is very friendly and straightforward. The investment will be the money you are paying currently for your Internet connection plus an extra time to keep up and running the service.
This solution is good enough for me, but to ensure an extra layer of security, the ideal solution for me includes Two-Factor authentication.
In order to provide this solution we would need a server in our internal network, the best thing here is to use a Raspberry Pi. Here’s what I did:
Requirements to complete this guide:
- A Raspberry Pi with Internet access and Docker installed.
- Access to the router configuration of your Internet service provider.
- Google Authenticator (iOS and Android) installed in your mobile in order to generate OTP tokens.
This guide is based on docker-openvpn project, thanks to Kyle Manna for his contribution. I just built a Docker image for armhf architecture, you can see the content of my Dockefile here
If you don’t have Docker installed on your Raspberry, you can read the article Docker & Raspberry Pi, perfect combo,
in there I describe how to install it.
In your Home internet router you will have to forward UDP protocol from port 1194 to port 1194 on your Raspberry.
This is how it looks in my router configuration
To make the installation easier, you should create two environment variables, OVPN_DATA is the name of the docker volume where OpenVPN configuration and certificate files are stored and CLIENTNAME is the name of your first client username.
We will need a docker volume to store server and client certificates and configuration files. You should always keep safe this volume.
This step will create initial configuration files for your OpenVPN server.
Before running this step, it would be great if you could set up a service like https://www.noip.com/. It will allow you to access your internal network using a domain. ASUS routers give the opportunity to create a free domain for this purpose.
Assuming the domain to access your internal network is coyote.bipbip.com , the command to initialize OpenVPN configuration will be:
OpenVPN server certificate
Creates a CA authority certificate.
If you run this command from Raspberry, the process will take some time to generate the key, be patient.
During this step you will be asked for a password to protect generated CA certificate private key, remember this password because every time you create a new client certificate, CA certificate will be used.
Start OpenVPN server with previous setup
Create a client
Create a client certificate you will use to connect from the Internet. During this process the container will prompt for the CA certificate password from previous step.
Enable this security layer for this username.
This command will generate an URL to Google OTP service. Open in a browser this URL and you will get an image with a QR code.
Now you need to scan this QR Code with Google Authenticator app in order to finish the one time password generator configuration.
Generate ovpn file
It is time to generate an ovpn file with information about the VPN.
Send to your mobile the ovpn file generated previously and load a new vpn account with this file. Username will be $CLIENTNAME value used during VPN setup and the password will be one of the tokens generated by Google Authenticator app. I use in Android OpenVPN Connect as my VPN client.
Before test connection, using only your Internet mobile connection check the IP address you have currently assigned. Use a service such as https://www.whatismyip.com/my-ip-information/.
Now try to connect to the VPN, if everything has been setup correctly, your IP address has changed and now you are connected through your Home Internet provider.
I hope you have succeeded, any questions asked me in the comments down below.
Enabling two-factor authentication is a great way to add an additional level of protection to your Microsoft account. Even if your password is stolen, your account is still protected because two-factor authetication requires an additional level of verification to log in. Microsoft calls their version of two-factor authentication “two-step verification” and it works by providing you with a random code that must be entered in additional to your password when you log in. Microsoft offers three ways to generate the verification code. It can be sent via e-mail, SMS message or using a token generator app on your mobile phone.
The first step to enable two-factor authentication on your Microsoft account is to sign in to your account settings by going to the following address https://account.live.com/proofs/manage. After you log in, you will be asked to verify your identity using a text message or a phone call.
Once you reach the “Protect Your Account” screen, click Set up two-step verification.
Now you will be able to select what you want to use for your second level of verification. Select an app, phone number or alternate e-mail from the drop down list. Then follow the on-screen steps for the selected verification type.
When completed a special recovery code will be displayed. Save this code in a safe place. I suggest pricning so you have an “offline” copy so that you can get back into your account in a worst case scenario.
Some Microsoft applications and services do not support two-factor authentication so Microsoft created a nifty work-around called App Passwords that offer a high degree of protection by generating a special password just for a specific application or service. Learn more about how to setup App Passwords here.
Please sign in to subscribe to this guide.
You will be redirected back to this guide once you sign in, and can then subscribe to this guide.
In order for our Python code to work, we’ll want to make sure a few libraries are installed.
First, from either the keyboard/monitor or SSH console type in:
. you’ll be asked if you want to continue. Type “Y” for yes, and hit enter.
This part will probably take a little while.
Then you can install the IMAPClient Python library, which lets Python talk to most e-mail services:
The current version of the script should actually work with any e-mail provider that provides IMAP access. A few useful links:
If you have two-factor authentication enabled on your GMail account, you’ll need to generate an application-specific password to use IMAP. I followed Google’s detailed instructions and was up and running in no time.
Not sure if you have two-factor auth enabled? That probably means you don’t, so don’t worry about it for now.
This guide was first published on Jul 29, 2012. It was last updated on Jul 29, 2012.
This page (Prepare Python) was last updated on Jan 22, 2022.
Text editor powered by tinymce.
OUT OF STOCK NOTIFICATION
You have been successfully subscribed to the Notification List for this product and will therefore receive an e-mail from us when it is back in stock!
For security reasons, an e-mail has been sent to you acknowledging your subscription. Please remember that this subscription will not result in you receiving any e-mail from us about anything other than the restocking of this item.
If, for any reason, you would like to unsubscribe from the Notification List for this product you will find details of how to do so in the e-mail that has just been sent to you!
In this post I will show how simple it is to enable 2-Factor authentication using a Raspberry Pi, and your smartphone, but this can also be done for other Linux devices and servers too.
You can contribute issues/fixes to this post on Github: here
With people’s information being leaked left, right and centre, it’s increasingly more critical that we rely on more than just our passwords for access to important devices. If we do not, a leaked password could end up with our servers and devices, such as Raspberry Pi’s being hijacked to participate in a bot-net or some other nefarious deed, or information on those devices being stolen.
First Steps for Raspberry Pi users
Before beginning the setup of 2-Factor auth on your Raspberry Pi, there are some good-practice steps you should carry out first.
If you’re not running a Raspberry Pi, but some other linux machine, such as Ubuntu, Debian, Linux Mint etc, feel free to skip this step.
- Change the password for the pi user (default is raspberry ), make it really strong, you shouldn’t need to use it after adding your own user (I prefer to delete the user altogether).
- Enter the command passwd while logged in as the pi user, you’ll be prompted to enter the existing password, then the new one, twice.
- Create a new user, other than pi , with your own name, for example, I would use hamid , with a password that is strong but memorable.
- Add your user to the sudo group so you can perform admin tasks with the sudo command.
The pi user is a member of lots of other groups, your new user will start as a member of only your own name group.
Be sure to add other groups if you need access to other features, such as the gpio , i2c or spi on your Pi for your projects.
Now, in a new terminal/ssh client you should be able to ssh into your Pi as your new user, this is the user you should access the Pi with from now on.
Setting up your own 2-Factor
This post assumes a debian based Linux distro, and therefore the apt package manager, mainly because the Pi runs Raspbian, based on Debian. If you use another distro on your server, you can still follow this, but installing packages will use a different package manager and possibly package names. You might even use a different editor instead of nano such as vim or emacs .
You’ll need a smartphone/tablet, and the FreeOTP app by Redhat in order to generate the one time codes you’ll use on login. This is available on Google Play and the App Store.
First start by logging in to your Raspberry Pi, you can do it by SSH, but make sure to keep a spare terminal open while you’re changing the SSH configuration, as it will remain connected even if you break the ssh configuration, or connect a monitor, keyboard and mouse and make changes directly on the Pi.
Be sure to test your connection using a second terminal, leaving the first one for emergencies.
First login to the Pi using your new user (if you’re using a keyboard/mouse directly attached, just login normally).
I’ll use the user user you should substitute your own. If raspberrypi doesn’t work, you’ll need the IP address of your Pi after the @.
If configured correctly you user should have sudo access (see above; you need to log out and in again after adding your user to a group).
First we need to install the pam-oath plugin, this allows the authentication system to support oath and the qrencode tool to add the one time pass to our smartphone app.
Next, edit the sshd config to enable challenge-response authentication:
Set the following line from no to yes
Edit the sshd pam config:
Add a new line, near the top of the file, under @include common-auth
This tells pam that we want to add an auth requirement, that it should use the pam_auth plugin, the users can be looked up in /etc/users.oath , that our passes will be 6 digits and valid for 30 seconds.
Now we need to generate our secret and set it in the /etc/users.oath , you can use openssl to do this:
Next, lets add it to the file:
The file should be empty if this is your first user, enter the following, pressing Tab rather than space between each block.
It should look something like this:
Make sure the permissions are set correctly on users.oath for security:
Install the “FreeOTP Authenticator” from RedHat” on your Android or iOS phone, and generate the QR code for it to scan.
First, we need to convert the secret from above, to Base32, which is required by the QR app:
The output will be a Base32 string, something like this:
Now generate a QR code to scan with your phone:
Be sure to replace user in both places with your user, and put your secret Base32 from the last step just after secret= and before &issuer .
When you run this, qrencode will print out a QR in your terminal, press the QR icon in the App on your phone and scan it, if successful you should see a new item added to your codes list in the app.
If it fails to scan, make sure you didn’t accidently remove any characters above, make sure you used the Base32 secret, and try generate the QR code again.
Finally, we need to restart the ssh server, and test our login;
Open a new terminal (don’t close the old one, you might need it if anything is wrong)
You’ll be prompted for your password:
Once you type that correctly, you should be prompted for your One-time password:
Tap the entry in your mobile App and it’ll display a 6 digit pass valid for 30 seconds or less, enter that and you’ll be logged in!
If you can’t log in, double check all of the previous steps, and if you change any configuration files, be sure to restart ssh sudo service ssh restart .
That’s it, now you have secured your Pi with 2-Factor authentication, from now on, you’ll need your phone and the FreeOTP app to login.
Final note. It is good practice to clear your shell history since the secrets we’ve used above will be in there.
You can type history to see what I mean.
Run the following to clear the entire history
This will remove all entries from your shell history on the Pi (or the machine you ran it on, if not the Pi).
Or to remove just a single entry by number:
Better practice would be to not enter secrets on the command line, but use files, or linux pipes to direct them straight to their destination, but that is a more advanced topic for another day.