For super-safety, require two-factor or two-step authentication when SSH'ing. The Google Authenticator app can be used for this.
For TFA to work, the system clock of your Pi should have accurate time and timezone. Type date
to check if the time and timezone are correct. If the timezone is correct but the time is not, you can force the ntp-daemon (the process that syncs the clock with the internet) to refresh:
sudo /etc/init.d/ntp restart
If date
displays the wrong timezone, fix it like this: first, get a list of available timezones:
ls -l /usr/share/zoneinfo
Backup your current timezone settings:
mv /etc/localtime /etc/localtime-old
And create a link to the new timezone of your chosing:
ln -sf /usr/share/zoneinfo/Europe/Amsterdam /etc/localtime
The easy install is this:
sudo apt-get install libpam-google-authenticator
However, this is an old version that does not support (i) SSH'ing for users who do not have TFA configured and (ii) disabling TFA when SSH'ing from LAN or specific ip. To get a more recent version, follow the following steps (from here). I haven't checked this myself (I'm using the old version), but here's a quote from the linked website:
"When using a Debian-like OS, you can install it with a one-liner:
apt-get install libpam-google-authenticator
But note the packaged version is old and does not support all documented options. Below I talk about the ‘nullok’ option, but that is not supported in the packaged version. You then see this error:
sshd(pam_google_authenticator)[884]: Unrecognized option "nullok" sshd(pam_google_authenticator)[887]: Failed to read "/home/pi/.google_authenticator"
That’s why I suggest building from source, as this can be done quickly:
apt-get remove libpam-google-authenticator apt-get install libpam0g-dev libqrencode3 cd ~ wget https://google-authenticator.googlecode.com/files/libpam-google-authenticator-1.0-source.tar.bz2 tar jvxf libpam-google-authenticator-1.0-source.tar.bz2 cd libpam-google-authenticator-1.0/ make make install
Next, set-up TFA for your account (probably 'pi').
google-authenticator
Scan the barcode, follow the steps, then edit the following file:
sudo nano /etc/ssh/sshd_config
and make sure ChallengeResponseAuthentication
is set to yes
.
Edit /etc/pam.d/sshd
too, and add this at the very top:
# to skip 2-factor on LAN, enable this and create the file (see below)
# auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-local.conf
auth required pam_google_authenticator.so
# or, to allow users who haven't setup 2-step auth, add nullok at the end:
# auth required pam_google_authenticator.so nullok
Aaaand refresh:
sudo /etc/init.d/ssh restart
Logout, login and have fun. If it doesn't ask for a code but keeps saying 'password denied', then you didn't do that last refresh.
Disable TFA on LAN (more info)
Before this works, make sure you did the 'complicated' install described earlier (easy install through apt-get installs a version that is too old).
To skip 2-step from LAN sessions, create the file mentioned above:
sudo nano /etc/security/access-local.conf
And put this in it:
# Two-factor can be skipped on local network
+ : ALL : 192.168.1.1/24
+ : ALL : LOCAL
- : ALL : ALL