xmlrpc.php 403 Forbidden

The other day I encountered this error on one of my domains while working on a small project. The endpoint used to work, as I had used it for testing as recently as a month ago so when it stopped working I became annoyed.

There are a few reasons for this to happen and you have probably already tried them, though I will still enumerate them here:

  1. One of your plugins, in particular security plugins, is blocking access to the endpoint (you can check by looking at your .htaccess file or disabling the security plugins)
  2. The file permissions for xmlrpc.php are incorrect (they should be 644)
  3. The .htaccess file has become corrupt (you can check by renaming the current file to something like .htaccess.org then go to dashboard of the WP instance, click on settings, writing, permalinks and click on save. This will re-create the .htaccess file. If it works, then your .htaccess file was corrupt indeed, otherwise, just delete that newly created file and revert to the original)

Obviously, none of these were the issue for me. The problem turned out to be my hosting provider was filtering on xlmrpc.php and returning a 403.

You can confirm this by doing the following:

curl -v https://your-domain/xmlrpc.php

If access to the xmlrpc.php file is being blocked by your hosting provider the response will look like this:

*   Trying 198.54...
* TCP_NODELAY set
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
*  SSL certificate verify ok.
> GET /xmlrpc.php HTTP/1.1
> Host: <your domain>
> User-Agent: curl/7.54.0
> Accept: */*
>
* HTTP 1.0, assume close after body
< HTTP/1.0 403 Forbidden
< Cache-Control: no-cache
< Connection: close
< Content-Type: text/html
<
<html><body><h1>403 Forbidden</h1>
Request forbidden by administrative rules.
</body></html>
* TLSv1.2 (IN), TLS alert, Client hello (1):
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, Client hello (1):

The giveaway is in the response headers.

< HTTP/1.0 403 Forbidden 
< Cache-Control: no-cache 
< Connection: close 
< Content-Type: text/html

If the issue is on your WP instance configuration, the response headers will include Apache as the server (like this):

< HTTP/2 405
< content-type: text/plain;charset=UTF-8
< date: Wed, 04 Apr 2018 07:37:10 GMT
< server: Apache
< x-powered-by: PHP/7.0.26
< allow: POST

I contacted my hosting provider and indeed they were filtering on xmlrpc.php. I am not recommending you use or not use xmlrpc, I am simply demonstrating the steps to troubleshoot the error.

Using Let’s Encrypt SSL certs on your site

Summary

Since the early 2010s, there has been a strong push towards security and encryption on the internet. To encourage encryption, Google will prioritize your site higher if it’s encrypted, even if your content is not as good.

In general, setting up an SSL certificate for your site is not that difficult, as long as you’re willing to let your hosting provider do that work for you and pay for their work.

For me, at 1and1, it costs me around $70 per year for multi-subdomain SSL encryption per domain. They have a cheaper, single domain certificate for $30 per year. Now you might think, neither $70 or $30 seem that high to me. And that’s true, if you only have 1 or 2 domains. But what if you have 5 domains and you want encryption for the subdomains therein? Now you are looking at $350 per year for just encryption.

This is the reason I looked into Let’s Encrypt certificates. They are free, though I strongly recommend you donate to their efforts, and while not all hosting providers make it easy for you to use the Let’s Encrypt certificates, you can pretty much use them anywhere.

Details

Important note, these instructions are for setting up an SSL cert on a machine other than the host. Meaning, if you run your own server, either via VPS or cloud, or an actual physical host, you should follow these instructions: https://certbot.eff.org/

However, if you are like me, and you have a shared hosting contract and cannot install certbot on the host and therefore require to get the certificates on a different machine, please follow these instructions:

Steps

  • Begin the process of getting the certificates by using –manual so the certificates are not installed locally when finished (You may need to do itΒ  as sudo as certbot will create a log in /var/log/…).
sudo certbot certonly --manual
  • Enter the appropriate email address
  • Accept the terms of service
  • Decide whether or not to share your email address
  • Enter the domains for which you want to create a certificate. You can create as many as you want, they just need to be comma-separated. For example:
domain1.com, sub.domain1.com, sub2.domain1.com, domain2.com, domain3.com, sub.domain3.com
  • Enter Yes for the IP being logged
  • For each domain you entered in the step above, you will need to validate ownership. For this step certbot will ask you to create a file under
/home/<your-user>/www/.well-known/acme-challenge
  • So if you entered 2 entries (domains or sub-domains) above, you will need to create 2 files under the location above. Below is an example:
Create a file containing just this data:
xqIp_322onZb-HoSQOV2WOBxVjVbj9LBUEaEQ.F13uE1z6yJ7yryfWPyI_Wt3DrKfeCTp8UOVIfE

And make it available on your web server at this URL:
http://domain.com/.well-known/acme-challenge/xqIp_KmB32Zb-HoSQOV2MBxVjVbj9LBUEaEQ
  • In the example above you would do the following:
SSH to the host of your application or site
Navigate to /home/<your-username>/www/.well-known/acme-challenge
echo "xqIp_322onZb-HoSQOV2WOBxVjVbj9LBUEaEQ.F13uE1z6yJ7yryfWPyI_Wt3DrKfeCTp8UOVIfE" > xqIp_KmB32Zb-HoSQOV2MBxVjVbj9LBUEaEQ
  • Do that for all of the entries.
  • If the process is successful you should get this:
Press Enter to Continue
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/domain.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/domain.com/privkey.pem

Your cert will expire on 2018-05-10. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
  • At this point the certificates have been created and ready for use. You will now need to copy them over to your host. The certificate is under the fullchain.pem file and the private key under the privkey.pem file. In my case, I had to copy and paste the contents of both files into my hosting provider SSL manager tool.
  • To view the certificate do this (note these are only examples)
sudo cat /etc/letsencrypt/live/domain.com/fullchain.pem
-----BEGIN CERTIFICATE-----
MIIEABAgISA9UkNCCjBf0l4QW25YR/wl18MA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODAyMTIxODExNDdaFw0x
ODA1MTMxODExNDdaMBcxTBgNVBAMTDGRvY3RvcjQ2LmNvbTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAKNZRZgaoQPAkqIicKNlrKCN36MIkRM3yL6U
QGjuEz8vQmvRyEykrTBRwvHDhTn5xtwiEw
HwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwbwYIKwYBBQUHAQEEYzBh
MC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5cHQub3Jn
MC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMubGV0c2VuY3J5cHQub3Jn
LzAXBgNVHREEEDAOggxkb2N0b3I0Ni5jb20yZXBvc2l0b3J5LzANBgkq
hkiG9w0BAQsFAAOCAQEAj1ZhOYDs+ZOJlpePRu0ozEFhlsdkscT2GN66v4cLAjdt
vdjg49nFJawHCk5ZMN9vOkIXBUYPnqs2VxJHOExEl6UjXqKTOoGmW/O0LK8RqCA+
1eGA8gBKNC3AUiK0hSDdf7wD+KmbTZqELYeEq4LrtUpn598Xz0jAGk+v9MwHRI/w
7o5ipSWq53hsiRyYqfHifiwscDkHhlmNMDOnwgLR25Cw1gDlg3o6hpqVKenyk7Jj
pGOwOj3sEIrbbfv1d8rTOjKrJAGf2JVyTlCLD/v6SGEzkzfL3o22bFKbcATQrRtA
tY9qlV1OqaSz/hjL3zTYcy+uI3VHz7czL7n6ZPuxNg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
gAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgjsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----
  • Not there are “two” certificates, you only need to copy and paste the first one. Also, make sure to copy and paste the “Begin” and “End” certificate parts (copy lines 2 – 19)
  • The same will apply to the private key under privkey.pem.

That’s it, you should now have FREE SSL encryption working on your host and you have saved enough money for a well-deserved cup of coffee.

Footnotes

 

SainSmart DDS-120 Oscilloscope on MacOS

Summary

I’m working on a project which requires me to use an oscilloscope. I have never had a need for such a device, so I was very surprised when I priced used oscilloscopes used at €300.

As a result, I looked at my options and I was happy to find there are a plethora of known as USB Oscilloscopes. These are hobby-level oscilloscopes, which are less expensive because they save money on the computing and display components of the device.

https://i1.wp.com/cdn.shopify.com/s/files/1/1978/9859/products/9_4_1024x1024.jpg?w=525

This oscilloscope in particular, is quite capable. At about $70,Β  my Sain Smart DDS-120, included the scope, two channels, two probes, a logic analyzer and an external trigger.Β  You can find the specs of the scope here.

Anyway, given I only have a Apple computers and the software for the scope runs on windows I thought I would share what I did to make it work.

Steps

At this point, it should be fair to assume you have access to the scope and you just need to get it working. There are two options for getting Windows to run on your Mac computer, you can go dual-boot (the reliable and least convenient), or Virtual Machine (less reliable, though not unreliable, and most convenient). I chose the latter. There are a bunch of Virtual Machine options, I chose VirtualBox, or VBox. I chose VBox because it’s free and it works pretty well. With that in mind, here are the steps I followed to get the scope working on MacOS.

  1. Download and install the latest version of VirtualBox. I used version 5.2.x
    1. On MacOS 10.13, I got an error message at the end of the installation saying I needed to allow the program to run in security & privacy preferences pane. After I did this, the installation said there was an error and it had not installed correctly. I simply re-installed it, and the installation completed without any issues (not even the security & privacy warning).
  2. Download and install the latest VirtualBox Oracle VM VirtualBox Extension Pack. This will be in the VirtualBox download page and cannot be installed until AFTER you have installed VirtualBox. To install just double-click on the file and it will automatically pickup VirtualBox and install itself there.
  3. Once installed, you need to create a Win7 Virtual Machine (VM). To do this:
    1. Click on “New”
    2. Click “Create”
    3. Click “Create” again and you are done
  4. At this point you have an empty VM. You will need a Win7.iso file. These are easy enough to find on the internet. If you need one, message me directly and I can point you in the right direction. Assuming you have an ISO image, select the VM and click on Start –> Normal Start. Since you need to load the OS into the VM, you will get this error message (though instead of Windows 7 Ultimate… yours will likely say “Empty”. Click on the Folder Icon next to the drop-down and select the your Win7.iso file. Click start and follow the instructions.
  5. After you have finished installing Win7 you will need to setup Scope software and calibrate the probes.
    1. Enable the scope’s USB to connect through your Mac onto the VM by following these steps:
      1. Start the VM
      2. Connect the Scope to the Mac using the USB cable
        1. Your Mac should NOT pick up the scope as it’s not compatible, so don’t worry if nothing happens on your Mac (the host)
      3. Right-click on the VM and choose settings. Under settings click on “Add Filter” and select BUUDAI USBxxx. Make sure to select it and click OK.
      4. The VM will inform you that it’s installing the necessary drives and it should just begin picking it up going forward.
    2. Install the software. The software I used is here: Software_V1.5.0. The zip file includes everything I needed to get it to work. Just look for DDS120.exe inside the folder and that’s it πŸ™‚
      1. You can check installation by clicking on “Start” on the bottom right of the software screen.
    3. Now you need to calibrate the probes.
      1. To calibrate the probes, set them to 10X and connect them to the scope and use the signal emitter between the two channels to calibrate them. 2018-01-25 18.00.44.jpg
      2. Inside the Scope software do the following:
        1. Select Channel 1 and make sure it’s On and set to 10X
        2. Set the time to 1ms
        3. Set Channel 1 Voltage to 50mV
        4. Optionally, you can zoom in to get a closer look at the waves (but this is not necessary
      3. You want the signal to be as square as possible. You can adjust it by using a small screwdriver to calibrate the wave shape. The probes are pretty good, but not perfect. So don’t worry if you cannot get the shape of the wave to be perfectly square.

That’s it you are done and ready to begin using your new USB scope.

Plex Media Server auto restart on crash (MacOS)

Summary

If you use the Plex Media Server on your home PC to serve your media content, then you know how important it is to keep that service up and running at all times. For this reason I found it frustrating when my iOS Plex Player kept crashing the server.

For some reason, the iOS Plex App would crash the server anytime I tried to play a video using automatic quality throttling. Anyway, after I figured out it was the iOS App, I began looking into way to make sure that in the future, the server would come back up, even if it had been crashed.

Steps

Setting up a process to auto-restart is simple. You just need to create a LaunchAgent and have LaunchD (MacOS’s agent and daemon controller) take care of the rest:

  1. Remove the check on Plex Media Server to Open at Login
    1. If you Plex Media Server is already running, go up to the menu bar and make sure to uncheck Open at Login. Otherwise, you could end up with duplicate processes.
  2. Create a file like this one (if you are using Plex Media Server.app, you can just use that file) and make sure it’s named com.plexapp.plexmediaserver.plist
    1. Lines 5 to 11 tell launchd to start the program when computer starts and to restart it (keepAlive) if it crashes.
    2. Lines 11 and 12 give a name to the LaunchAgent.
    3. Lines 16 to 18 are the program’s parameters. open is a built-in program in MacOS for opening files, URLs and programs. -g tells open to start the program in the background. And /Applications/Plex Media Server.app is the path to our application πŸ™‚
  3. Place the file under the LaunchAgents folder in the user’s Library (here: ~/Library/LaunchAgents/). You should end up with this path: /Users/<your username>/Library/LaunchAgents/com.plexapp.plexmediaserver.plist
  4. Load the LaunchAgent into LaunchD like this: launchctl load ~/Library/LaunchAgents/com.plexapp.plexmediaserver.plist
    1. That tells LaunchD to look at the configuration file in the plist file you have given it and execute it
    2. You can also unload it, which means to remove the plist file from LaunchD’s queue of things to control. launchctl unload ~/Library/LaunchAgents/com.plexapp.plexmediaserver.plist

That’s it. From now on, when the computer logs in, it will start Plex Media Server and if it crashes and it will automatically restart.

Troubleshooting

If you run into issues, you can troubleshoot by looking at the system logs and loading or unloading the plist file.

The system.log records any error messages generated by LaunchAgents (not just the one you just created). You can view the system log like this:

  • To just view what is there now: cat /var/log/system.log
  • To scroll through what is there now: cat /var/log/system.log | more (and press the spacebar to progress)
  • To view the most recent changes in real-time: tail -f /var/log/system.log
    • I find this to be the most helpful

With access to the system log, you can now test your plist by

  1. Unloading the plist
  2. Edit the plist
  3. Re-Load the plist
  4. Check the system log

 

MacOS installer language setting

The other day I purchased an MBP13 from eBay. It was a great deal and it came from Italy. I should probably elaborate this point as it was kind of unique. I live in Spain, but I’m originally from the US, as such, I prefer a US keyboard (the Spanish, or even the UK English keyboard layouts are different, trust me). Anyway, on eBay I found an MBP13 with a US keyboard layout, that was originally purchased in Japan, but was being sold by a person in Rome, Italy, coming to an American living in Barcelona, Spain… funny no?

Anyway, I got the laptop and it was in very good shape. However, like all used pieces of software, I needed to reset it. However, the installer’s language (not the OS) was in Italian.

I looked online for changing the language of MacOS and I was always directed to the System Preferences –> Language and Region –> Set to English… change, but that is AFTER you have installed the OS.

So I gave my bad Italian a try and I ended up with a bad disk partition and a bad install.

2017-12-15 14.04.02.jpg

I then figured out the setting. To update the language on your installer (or BIOS, as some people referred to it), do this:

  1. Restart the machine by holding down the power button until it shuts off (around 5-10 seconds)
  2. Press the power button again
  3. Immediately after pressing the power button hold down command and r (command + r), just keep it holding down
  4. That will start the recovery cycle and it will try to connect to the internet. Wait for that to finish
  5. You’ll arrive at the Installer.
  6. Regardless of the language just remember to click on the second menu (not counting the Apple logo), the first option will be Change Language. Click and you are set πŸ™‚ 2017-12-18 19.44.37.jpg

Do you need a US phone number even while not in the US?

If you travel a lot and/or live outside of the US and require the appearance of being in the US, then Google Voice is for you.

Google voice is a VoIP service which works very similar to normal VoIP services plus you get a pretty reliable texting service too.

You can find more information on Google voice here. Below is a diagram to explain how the system works and how you can use to appear as if you are calling from a US number even while traveling.

The integration of the Google Voice App is very good in Android phones. On iPhones not so. On iPhones, your integration will be more like when you are traveling, where you need to use both apps (the Google Hangouts Dialer and the Google Voice App for individual functions).

There are a bunch of really good articles on how to use Google Voice and the Google voice dialer out there, so I will not plagiarize them. Instead here are some useful links.

 

 

 

 

Going more secure…

I have been trying to secure our digital life more and more these days. Most folks forget that it was until recently, think 2013, when Snowden revealed much of what we now know about various surveillance programs, most websites didn’t use HTTPS for anything other than purchases. Obviously, this this changed drastically and now you’d be hard-pressed to find a site which does not encrypt its communications with the user.

So for this reason I want to share our path towards evermore stringent security.

As a 21st century family, we make heavy use of Evernote. It’s a way to store and share information. And while communication between your device and evernote servers is encrypted, as you know, if a bad actor got access to your device he/she would have full access to all of your data, not to mention of Evernote servers were hacked. We used to keep (yes, pretty dumb) very sensitive information in Evernote. From passports to usernames, to passwords, you name it… everything.

So yes, dumb, but tell me what other service provides you the ability to store sensitive information in a secure way and the ability to share? We could encrypt it using GPG and store and share on Evernote, but that can get complicated amongst the entire family (GrandMa included).

The solution was LastPass family service. LastPass family is basically a water-down version of their enterprise offering. The best way to view it is as a discounted premium subscription at a cost of $0.66 per user (with a maximum of 6). For me, it’s costing me more like $1.00 per user per month because I only have 4 people in my family that can make use of it.

So why go with LastPass family vs just LastPass premium, other than the savings (I was already paying for two premium subscriptions), folder sharing.

Just like Evernote, you can create a folder/notebook, that you can use to share any type of data amongst users. You can share text and files (though the files needs to be enclosed as part of a note, just like on Evernote) and give access permissions to various members of the “family”.

Most people are used to LastPass on their browser, as an add-on, but they also offer an application for your computer, which makes the transition much easier.

So far, what I have moved over is anything that is sensitive. Passwords were already in LastPass since a few years back, but objects like passport photos, financial information, birth certificates, etc, have been imported into LastPass family.

Setup 2FA SSH on MacOS Sierra

For some time, I have been using 2FA for most of my sensitive logins on the Internet. From Google to FB to WordPress to Git. Any login with sensitive information is setup with 2FA using (FIDO U2F).

Anyway, the one setup that has been missing (don’t ask me why I had not done is sooner) was our home MacMini. Our MacMini stays on all of the time and serves as our home computer. We use it for everything, from a Plex Server to printer server, to file server, you name it.

I like to be able to access it remotely and as such I have setup SSH on it. However, until recently, it was pretty open. I looked online for support on how to setup 2FA and below are the steps I followed to get it to work:

Basic definitions

  • Server: This is the host to which you want to connect and on which you’ll be installing 2FA
  • Client: This is any host other the the server

Instructions

  1. You need to have xcode, command line tools and homebrew installed. You should do this from the
    1. Install xcode: That you need to do from the App Store. Just open the App Store,Β  look for xcode and install it
    2. Install command line tools:
      xcode-select --install

      That should bring up a prompt on the screen asking if you want to install command line tools. Click Installinstall xcode on mavericks step 1

    3. Install homebrew:
      /usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew install/master/install)"
  2. Get the latest release of Google Authenticator. Download and unzip.
  3. Build and install Google Authenticator:
    ./bootstrap.sh
    ./configure
    make
    sudo make install
  4. Update sshd to use Google Authenticator
    1. Make a copy of /etc/pam.d/sshd:
      sudo cp /etc/pam.d/sshd /etc/pam.d/sshd.org
    2. Make a copy of /etc/ssh/sshd_config:
      sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.org
    3. Update sshd to make use of the Google Authenticator shared object (pam_google_authenticator.so):
      //This will let you edit the file
      sudo vi /etc/pam.d/sshd
      //Add this line below the "auth" section 
      auth       required       /usr/local/lib/security/pam_google_authenticator.so
      //Save and exit 
      :wq!
      
      
    4. Update sshd_config:
      //Open the file for edit:
      sudo vi /etc/ssh/sshd_config
      //Look for #ChallengeResponseAuthentication yes and remove the hash
      ChallengeResponseAuthentication yes
      //Save and exit
      :wq!
  5. Restart sshd for the changes to take effect:
    sudo launchctl unload  /System/Library/LaunchDaemons/ssh.plist
    sudo launchctl load  /System/Library/LaunchDaemons/ssh.plist
  6. Setup Google Authenticator for the desired user
    1. Assuming you have performed all of the actions above logged in as the desired user, just continue, otherwise exit and login as the desired user.
    2. Setup Google Authenticator:
      //Locate the folder where you unzipped Google Authenticator and execute google-authenticator
      google-authenticator
      
      Do you want authentication tokens to be time-based (y/n) y
      https://www.google.com/chart?some-really-long-url-you-will-need-this
      Your new secret key is: ABCDEFGHIJKLMNOP 
      Your verification code is 000000
      Your emergency scratch codes are:
        00000000
        00000000
        00000000
        00000000
        00000000
      
      Do you want me to update your "/Users/<your-username>/.google_authenticator" file (y/n) y
      
      Do you want to disallow multiple uses of the same authentication
      token? This restricts you to one login about every 30s, but it increases
      your chances to notice or even prevent man-in-the-middle attacks (y/n) y
      
      By default, tokens are good for 30 seconds and in order to compensate for
      possible time-skew between the client and the server, we allow an extra
      token before and after the current time. If you experience problems with poor
      time synchronization, you can increase the window from its default
      size of 1:30min to about 4min. Do you want to do so (y/n) y
      
      If the computer that you are logging into isn't hardened against brute-force
      login attempts, you can enable rate-limiting for the authentication module.
      By default, this limits attackers to no more than 3 login attempts every 30s.
      Do you want to enable rate-limiting (y/n) y
    3. With a browser open the long URL. This will generate a QR Code. Scan the code using your favorite Google Authenticator App. I personally like Authy as it can sync between devices.
  7. Close all open SSH connections you may have with the server.
  8. From a client ssh into the host and voila, 2FA works πŸ˜€
    client.host:~ username$ ssh username@host.to.ssh
    Password:
    Verification code:
    Last login: Thu Dec  7 16:09:24 2017 from 192.168.2.1
    host.to.ssh:~ username$

References

The internet is nothing, if not for a bunch of really smart people that love to share their experiences and findings. I was able to get this to work thanks to these posts:

 

You 2.0: Getting Unstuck

At one time or another, many of us feel stuck: in the wrong job, the wrong relationship, the wrong city – the wrong life. Psychologists and self-help gurus have all kinds of advice for us when we feel rudderless. This week on Hidden Brain, we conclude our You 2.0 series with a favorite episode exploring a new idea from an unlikely source: Silicon Valley.

* Duration: 29:09, Played: 14:23

* Published: 8/29/17 03:01:18

* Episode Download Link (27 MB): https://play.podtrac.com/npr-510308/npr.mc.tritondigital.com/NPR_510308/media/anon.npr-mp3/npr/hiddenbrain/2017/08/20170828_hiddenbrain_ep56.mp3?orgId=1&d=1749&p=510308&story=546598801&t=podcast&e=546598801&ft=pod&f=510308

* Episode Feed: Hidden Brain – https://www.npr.org/rss/podcast.php?id=510308