Google Two-Factor Authentication on Tomato?

Discussion in 'Tomato Firmware' started by InsaneNutter, Jul 30, 2013.

  1. InsaneNutter

    InsaneNutter Addicted to LI Member

  2. Malitiacurt

    Malitiacurt Networkin' Nut Member

    Bad idea just like Cisco's cloud based authentication.

    You have no internet so you can't access your own router.
  3. jerrm

    jerrm Network Guru Member

    Tomato doesn't support PAM modules. Even if it did, last I checked dropbear (tomato's ssh server) only supports simple pam auth at best. In other words, I don't see this happening.

    Use keys if you're not already.
  4. jerrm

    jerrm Network Guru Member

    I think it's just time based tokens, similar to RSA SecurID, no internet connectivity required other than helping insure clocks are in sync.
  5. lancethepants

    lancethepants Network Guru Member

    If you read the link posted, it mentions that the application does not phone home (google).
    The google two-factor authenticator is a open source project, and can be used on any system independent of google.

    There is a phone application, that I don't think even needs to have internet access.
    It's an authenticator app, just like something blizzard has for their games, or many works have for secure login. Little devices that go on your key ring, they certainly don't have internet access, it is not required.

    They even have a handful of codes you can use (keep in your wallet), just in case you don't have your phone on you.

    I see this totally possible for tomato, as long as you use optware/entware, very possible I think.
    I'll give it a try soon and will report back sometime.
  6. xorglub

    xorglub Addicted to LI Member

    Difficult for ssh because of lack of PAM in dropbear.
    Could be possible for web ui.
  7. RMerlin

    RMerlin Network Guru Member

    What are you running that requires more security than a simple RSA keypair? Are you hosting backups from a bank? :)
    Monk E. Boy likes this.
  8. lancethepants

    lancethepants Network Guru Member

    I have to agree, there's not much I can see that justifies this level of security in a router.

    However, I think it would be just plain awesome. FYI, I've now gotten it going on my router. :cool:
    I about pulled my hair out getting it run. Getting things to work on embedded systems is waaay more complicated than regular Linux systems. Let me know if you have some interest in doing it. I can create a tutorial, though it would take me a while to do so.
    Monk E. Boy likes this.
  9. lancethepants

    lancethepants Network Guru Member

    So out of fun, and total disregard of practicality, this is how to setup an entware based openssh server using two factor time based key authentication.

    Because of the way Tomato sets up the /etc/shadow file, which doesn't seem to play nice with OpenSSH, we will be creating a new user. This new user will operates exactly as root.

    You should already have Tomato's SSH server running, because we will need it to help setup the OpenSSH Server.

    Install entware

    opkg install libssp

    Go to
    Download "openssh_2-factor.tgz", found under Entware Compiles.
    Place it in /opt, and extract it.

    4. Run the following code to setup the ssh keys.
    /opt/bin/ssh-keygen -t rsa -f /opt/etc/ssh_host_rsa_key
    You can just hit [enter] when it asks about passwords.

    Now we will setup the username and password. The following code sets up username 'user' with password 'password'.

    You can change them to whatever you want. To get a new password, I would change root's password in the tomato gui. Look in /etc/shadow, and fine the text bewteen the colons ':' , starting with $1$, and use that for the script.

    You will need to delimit any special charecters with a backslash '\' for the 'echo' script. Double check that the script inputs it correctly and matches root's hash. Else your password will not work and you will pull your hair out.

    FYI, any time you change the password in the gui, it will rebuild /etc/shadow and /etc/passwd, so you will need to repopulate it.

    We also create a symlink so that openssh can find a file it needs.
    ln -s /opt/etc/pam.d /etc/pam.d
    echo "user:x:0:0:root:/opt:/bin/sh" >> /etc/passwd
    echo "user:\$1\$p7ji1sSO\$a0dvOOsF4SGd7TU8.PD101:15850:0:99999:7:::" >> /etc/shadow

    The SSHD config file has been preset to run on port 23. Change it if you want, or have a port conflict. For this setup I will show 23.


    Now we will start OpenSSH with the following code.

    So far we have just password authentication setup. Now we need to login to the new user to setup the two-factor authentication.
    ssh -p 23 user@
    Replace you own Router's IP address if different.

    Once logged in run

    Do you want authentication tokens to be time-based (y/n) y

    Use your phones two-factor authentication app to scan the qr image.

    Do you want me to update your "/opt/.google_authenticator" file (y/n) y

    Do you want to disallow multiple uses of the same authentication
    token? This restricts you to one login about every 30s, but it increases
    your chances to notice or even prevent man-in-the-middle attacks (y/n)
    Your choice, I choose yes

    By default, tokens are good for 30 seconds and in order to compensate for
    possible time-skew between the client and the server, we allow an extra
    token before and after the current time. If you experience problems with poor
    time synchronization, you can increase the window from its default
    size of 1:30min to about 4min. Do you want to do so (y/n)
    Your choice, I choose no, to keep a tighter time window tolerance.

    If the computer that you are logging into isn't hardened against brute-force
    login attempts, you can enable rate-limiting for the authentication module.
    By default, this limits attackers to no more than 3 login attempts every 30s.
    Do you want to enable rate-limiting (y/n)
    Your choice, I choose yes.

    Now we need to edit the following file, and uncomment the google authenticator line.

    Before we test it, add the following code in Wanup, to make sure things are setup to work after reboots.

    Administration -> Scripts -> WAN Up
    ln -s /opt/etc/pam.d /etc/pam.d
    echo "user:x:0:0:root:/opt:/bin/sh" >> /etc/passwd
    echo "user:\$1\$p7ji1sSO\$a0dvOOsF4SGd7TU8.PD101:15850:0:99999:7:::" >> /etc/shadow
    Log out and re-login, and you should be asked for a password and 'Verification Code'.
    InsaneNutter and Elfew like this.
  10. InsaneNutter

    InsaneNutter Addicted to LI Member

    I mainly thought it would be pretty cool, and additional security is never bad, even if it is over kill. I use 2 factor authentication on Dropbox and my Google / Windows Live account, so why not my router? :)

    And thanks for the tutorial i'll give it a go when im home this weekend! Much appreciated you taking the time to write it up.
  11. InsaneNutter

    InsaneNutter Addicted to LI Member

  12. jerrm

    jerrm Network Guru Member

    Probably best with USB. Might be able to get away with jffs depending on how large the required packages are.
  13. lancethepants

    lancethepants Network Guru Member

    Taking a look, I think you could do this on /jffs. All in all this takes about ~18MB to run. My /jffs partition on my RT-N16 is 24.5MB, but this could vary depending on your firmware, but I think even shibby's biggest will still leave enough.

    To do this, enable /jffs in the gui.
    We will need to mount /opt to /jffs.
    Run the following in the command line.
    /bin/mount --bind /jffs/ /opt/
    Also place the previous code in Tomato's init script.

    Administration -> Scripts -> Init

    Then continue by installing entware like in the tutorial.

    There probably won't be enough in /jffs to hold the tar file, and then unpack it. So you will need to transfer the "openssh_2-factor.tgz" file to /tmp, which is in ram.

    Then use the command
    tar zxvf /tmp/openssh_2-factor.tgz -C /opt
    This will tell it to extract the file located in /tmp to /opt.

    The rest should be covered above.

    You could do it either through /jffs or with the USB. If you're not doing anything anyway with /jffs, and also not doing anything with the USB, I would do it with /jffs then. It should be more dependable with /jffs, because you shouldn't have to worry about a failing USB drive, or about it getting unplugged, and then losing SSH access.
  14. lancethepants

    lancethepants Network Guru Member

    One other thing I noticed. Merely installing my package will also make Tomato's built in dropbear server sftp capable. If you want to add this functionality in OpenSSH, add the following.

    Location: /opt/etc/sshd_config
    Subsystem sftp /opt/libexec/sftp-server
    Using SFTP (at least with filezilla) doesn't seem to work when using two-factor authentication, since there's no way for it to ask you the "Verification Code"

    Also, if you want to be asked for the "Verification Code" before the password when using Two-factor Authentication, move the "auth" google line to the top in the following location.

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice