2FA

freebsd/30_2FA.md

@@ -17,3 +17,54 @@ Each user who will use 2FA needs to configure Google Authenticator individually.
 ```sh
 google-authenticator
 ```
+
+You will be prompted with several questions. Answer as follows:
+  - Do you want authentication tokens to be time-based? Enter y.
+  - A QR code will be displayed. Scan it using the Google Authenticator app on your phone.
+  - Save the provided emergency backup codes in a secure location.
+  - Do you want me to update your .google_authenticator file? Enter y.
+  - Do you want to disallow multiple uses of the same token? Enter y.
+  - Do you want to increase the time window? Enter n unless you experience frequent login failures due to time sync issues.
+  - Do you want to enable rate-limiting? Enter y to limit login attempts.
+  - This process generates a .google_authenticator file in the user’s home directory.
+  
+  ## 3. Configure SSH to Use Google Authenticator
+
+Modify the SSH PAM configuration file to enable Google Authenticator. Open the file:
+
+``` sh
+nano /etc/pam.d/sshd
+```
+
+Add the following line at the top:
+
+``` text
+auth required /usr/local/lib/pam_google_authenticator.so
+```
+
+Save and exit.
+
+Next, modify the SSH daemon configuration file:
+
+``` sh
+nano /etc/ssh/sshd_config
+```
+
+Locate and modify (or add) the following lines:
+
+``` sh
+ChallengeResponseAuthentication yes
+UsePAM yes
+```
+
+Optionally, ensure that PasswordAuthentication is enabled to allow password+OTP authentication:
+
+``` sh
+PasswordAuthentication yes
+```
+
+Save the file and restart the SSH service:
+
+``` sh
+sudo service sshd restart
+```