From 421123e4db47b6f25b9bfbf84c31c6ef493d4155 Mon Sep 17 00:00:00 2001 From: Alexander Bobkov Date: Fri, 2 Jan 2026 03:07:44 -0500 Subject: [PATCH] 2FA --- freebsd/30_2FA.md | 51 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) diff --git a/freebsd/30_2FA.md b/freebsd/30_2FA.md index 6721615..0e824f0 100644 --- a/freebsd/30_2FA.md +++ b/freebsd/30_2FA.md @@ -17,3 +17,54 @@ Each user who will use 2FA needs to configure Google Authenticator individually. ```sh google-authenticator ``` + +You will be prompted with several questions. Answer as follows: + - Do you want authentication tokens to be time-based? Enter y. + - A QR code will be displayed. Scan it using the Google Authenticator app on your phone. + - Save the provided emergency backup codes in a secure location. + - Do you want me to update your .google_authenticator file? Enter y. + - Do you want to disallow multiple uses of the same token? Enter y. + - Do you want to increase the time window? Enter n unless you experience frequent login failures due to time sync issues. + - Do you want to enable rate-limiting? Enter y to limit login attempts. + - This process generates a .google_authenticator file in the user’s home directory. + + ## 3. Configure SSH to Use Google Authenticator + +Modify the SSH PAM configuration file to enable Google Authenticator. Open the file: + +``` sh +nano /etc/pam.d/sshd +``` + +Add the following line at the top: + +``` text +auth required /usr/local/lib/pam_google_authenticator.so +``` + +Save and exit. + +Next, modify the SSH daemon configuration file: + +``` sh +nano /etc/ssh/sshd_config +``` + +Locate and modify (or add) the following lines: + +``` sh +ChallengeResponseAuthentication yes +UsePAM yes +``` + +Optionally, ensure that PasswordAuthentication is enabled to allow password+OTP authentication: + +``` sh +PasswordAuthentication yes +``` + +Save the file and restart the SSH service: + +``` sh +sudo service sshd restart +```