Setup Another Instance of sshd Support Google's Two-Factor Authentication in Raspberry Pi

For security reason, I want to enhance the sshd running in my Raspberry Pi to make use of Two-Factor Authentication (i.e. SSH Key plus Google Authenticator), if an user logins from WAN (from public network). However, if an user logins from LAN (local network), it just needs password or SSH Key for authentication.

To archive this, I need to setup a new instance of sshd with Two-Factor Authentication. The original sshd remains unchange for LAN users. Moreover, I also need to install google-authenticator related packages.

(Note: need to use root account to do below steps)

1. install the google-authenticator

   apt-get install libpam-google-authenticator libqrencode3

2. link sshd-second to sshd. The name of executable sshd-second will be used to load the corresponding PAM config.

   ln /usr/sbin/sshd /usr/sbin/sshd-second

3. create sshd_config-second by copying from sshd_config

   cp /etc/ssh/sshd_config /etc/ssh/sshd_config-second

4. update the sshd_config-second: Change the "Port" to 9022 (you can use any available port you want); change "ChallengeResponseAuthentication" to "yes"; Set "PasswordAuthentication" to "no"; add "AuthenticationMethods publickey,keyboard-interactive:pam" and add "PidFile /var/run/sshd-second.pid". Here shows the diff between /etc/ssh/sshd_config and /etc/ssh/sshd_config-second after edited:

   # diff sshd_config sshd_config-second 
   5c5
   < Port 22
   ---
   > Port 9022
   49c49
   < ChallengeResponseAuthentication no
   ---
   > ChallengeResponseAuthentication yes
   52c52,54
   < #PasswordAuthentication yes
   ---
   > PasswordAuthentication no
   > 
   > AuthenticationMethods publickey,keyboard-interactive:pam
   89a92
   > PidFile /var/run/sshd-second.pid

5. create /etc/pam.d/sshd-second by copying from /etc/pam.d/sshd

cp /etc/pam.d/sshd /etc/pam.d/sshd-second

6. updte the /etc/pam.d/sshd-second: comment out the line "@include common-auth" and add a line "auth required pam_google_authenticator.so" after "@include common-auth". Here shows the diff between /etc/pam.d/sshd-second and /etc/pam.d/sshd after edited:

   # diff sshd sshd-second 
   4c4,5
   < @include common-auth
   ---
   > #@include common-auth
   > auth required pam_google_authenticator.so
   

   (I comment out the "common-auth" here because I don't want it prompts for password during login.)
7. create /lib/systemd/system/sshd-second.service by copying from /lib/systemd/system/sshd.service

   cp /lib/systemd/system/sshd.service /lib/systemd/system/sshd-second.service

8. edit /lib/systemd/system/sshd-second.service: Update the "Description"; update the "ExecStart" to "/usr/sbin/sshd-second -f /etc/ssh/sshd_config-second -D $SSHD_OPTS"; update the "Alias" to "sshd-second.service". Here shows the diff between sshd-second.service and sshd.service after edited:

   # diff sshd.service sshd-second.service 
   2c2
   < Description=OpenBSD Secure Shell server
   ---
   > Description=OpenBSD Secure Shell server (2nd)
   8c8
   < ExecStart=/usr/sbin/sshd -D $SSHD_OPTS
   ---
   > ExecStart=/usr/sbin/sshd-second -f /etc/ssh/sshd_config-second -D $SSHD_OPTS
   15c15
   < Alias=sshd.service
   ---
   > Alias=sshd-second.service

9. enable and start the new sshd instance:

   systemctl enable sshd-second
   systemctl start sshd-second
   

   (To check the status of the new sshd, you can run "systemctl status sshd-second")

Up to now, the new sshd setup is done. Next, need to setup Google Authenticator for each users.

1. Login as user and run "google-authenticator". Like below:
2. On user's smart phone, open the Google Authenticator app. Then, add the account using the QRCode or input the secret key. (If the user's phone doesn't have the app, please follow this link to install).
3. To test the login, use ssh command, e.g:

   ssh localhost -o Port=9022

   Then, it prompts for "Verification code". The user can get the code from the Google Authenticator App. As long as the user input the code correctly and with correct ssh-key, he/she can login.
   

Last but not least, need to update router/firewall setting, such that it blocks the original sshd (port 22) from public network and opens for the port (9022 in my case) of the new sshd instance to be access from public network.

[the demo environment is Raspbian GNU/Linux 8 (jessie)]

Correct Way to Convert Local Time with DST to GMT/UTC in C

The earth is round (not flat). Timezone and light saving handling is rocket science. Below is a program in C to demonstrate how to convert a string of local time in 'yyyy-mm-dd HH:SS' format to GMT/UTC time. Please note that line "27" is very critical. Without setting the tm_isdst to -1, DST won't be correctly converted.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50

#include <stdio.h> #include <time.h> #include <string.h> //input should be string of local time in 'yyyy-mm-dd HH:SS' format int printgmttime(const char * input) { struct tm localtm; struct tm gmttm; time_t timestamp; int rtval; memset(&localtm, 0, sizeof(struct tm)); rtval = sscanf(input, "%4d-%2d-%2d %2d:%2d", &localtm.tm_year, &localtm.tm_mon, &localtm.tm_mday, &localtm.tm_hour, &localtm.tm_min); if (rtval < 5) { printf("unable to parse date time '%s'\n", input); return 1; } localtm.tm_year -= 1900; //tm_year = Year - 1900 localtm.tm_mon -= 1; //Month (0-11) localtm.tm_isdst= -1; //-1 means using system timezone info timestamp = timelocal(&localtm); gmtime_r(&timestamp, &gmttm); printf("GMT Date Time: %04d-%02d-%02d %02d:%02d\n", gmttm.tm_year+1900, gmttm.tm_mon +1, gmttm.tm_mday, gmttm.tm_hour, gmttm.tm_min); return 0; } int main(int argc, char** argv) { if (argc <= 1) { printf("Wrong number of argument\n"); printf("Syntax:\n"); printf("\t%s 'yyyy-mm-dd HH:SS'\n", argv[0]); return 1; } return printgmttime(argv[1]); }