adding 2 factor authentication


Is it possible to add 2 factor authentication following normal procedures, for example google authenticator.

I have setup a pi with dietpi and i’d like to add additional security to SSH before opening it to the outside.

In that light, is it necessary for the root user to be enabled for SSH?



Interesting request thanks for this!

However I have no idea how to achieve that. Needs investigation if at least OpenSSH has native support for this or if there are top level tools that run on every login, ask for 2nd authentication and until done reliably block any access.

In that light, is it necessary for the root user to be enabled for SSH?

Nope, you can disable SSH root login:

  • On Dropbear open /etc/default/dropbear and set: DROPBEAR_EXTRA_ARGS="-w"
  • On OpenSSH open /etc/ssh/sshd_config and set: PermitRootLogin no

    However I am not convinced by the great advantage of this. If one manages to login into your other user account with sudo permissions, (s)he can do exactly the same damage to your system. So there is no real benefit to prevent root login, besides you disable sudo permissions for all other users.

So from my point of view better go with other ways to enhance SSH security:

  • Change external SSH port, only within local network forward it to port 22 of your server. This disables any random brute-force attempts from far east, which from my experience always check port 22.
  • Use fail2ban to automatically block external IPs, if they fail to login for several times.
  • Switch to key authentication and disable user/password login for SSH. Copy/paste from my own docs:
SSH key authentication:
	PuttyGen: key size 4096
	-> PublicKey + PrivateKey
	On PuTTY client: Connection/SSH/Auth <- <PrivateKey>
	On server: mkdir ~/.ssh && echo '<PublicKey>' > ~/.ssh/authorized_keys

	OpenSSH: nano /etc/ssh/sshd_config
Port 1953
PubkeyAuthentication yes
PasswordAuthentication no # after test!

	Dropbear: nano /etc/default/dropbear
DROPBEAR_EXTRA_ARGS="-s -g" # after test!
# Disable password logins: "-s"
# Disable password logins for root: "-g"
# Disable root logins: "-w"

So no one can login via SSH, besides the user(s) you added the public key to ~/.ssh/authorized_keys and only if one has your private key client side.
You can even enhance security by adding a pass phrase to the key. So one requires the key but on top a password to unlock it.

The above from my point of view adds a real security enhancement, while only disallowing root login has no impact and even not much without sudo permissions. Even without sudo permissions one can destroy your system, remove much of your data. I mean one can destroy everything that you want to be able to touch when login via SSH and that is usually enough :wink:.

On previous Linux installs I have used the Duo Security 2FA service, with their push notification option but they do have other option.

I normally used this service for SSH/FTP/VPN, but basically you can call for anything that uses PAM.

I find the the VPN and SSH the most useful, just need the code with a bit of config and the insert API credentials.