Enabling Two Factor Authentication for EC2 SSH - AWS MFA Setup

Security is always a big thing. Protecting your data is very crucial when there are lot of people out waiting for a chance to exploit.

In Enterprise Infrastructure. We have various levels of security as follows

  • Internet Firewall and Gateway
  • Load balancer Restrictions and Constraints
  • Inbound and OutBound Proxy Servers
  • Dual Factor or Multi-Factor Authentication ( RSA / Duo / Google Auth)
  • Fingerprint or Iris Scanner and what not.

besides designing your application with no vulnerabilities and data leaks. A Good Enterprise has to protect their infrastructure as well, with those aforementioned methodologies.

in this post, we are going to take up one of the key element of Enterprise Security which is Securing the SSH to the Servers

Why SSH Security is Important?

Whether it be an On-Prem or Cloud Server. Securing and monitoring your SSH is indispensable. Because SSH is directly connecting you to the server (Often with Special Privileges). A Single Mistake or a Chance would leave your enterprise Security and Confidential Data at Risk.

What if your employee with Special Privileges (root) has set a basic password for his SSH and Some middle man has guessed it right.

Besides having Strong Password policies and implementing Key-based authentication. Most companies would solve this problem by adding one more level of security, often called as  Multi-factor or Two-factor authentication.

 

What is Two-factor Authentication (or) Multi-Factor Authentication

If you are working in IT infra. There are chances you might have heard this term RSA Token and seen some devices like this. Most often people wear it in their ID cards too.

These were the First Two-factor authentication devices I was aware of. We can call it as a Classic Two Factor Authentication Device.

There would be a 6 digit random number designed to change every 30 seconds or so I suppose. To login to the Secured networks and Servers, we had to enter this Pin number or Code displayed on the device.

This is a hardware-based Two-factor authentication device. There were other few hardware and Software-based two factor or multi-factor authentication devices as per my knowledge

  1. Entrust SMS Passcode
  2. Yubi Key
  3. Duo Authentication

While all these being an Enterprise level advanced Two-factor authentication systems.

There are also opensource two-factor authentication systems available. While there are few products available in this slab.

Google Authenticator is a widely used Software-based Multi-Factor Authentication solution. It is same as RSA token working with Time-based One-time passcode strategy.

While this is freely available and comes from the Trusted company. Most of the web applications, servers, enterprises are using this to provide additional security to the user.

 

By this time you might have figured out this article is going to use Google Authenticator as Multi-Factor authentication provider.

With no further ado. Let us go to our objective.

In this post, we are going to choose some secure approach of using a Single Server as our Gateway or Jump Server from where you can log in to the other servers in your infrastructure.

 

How to setup Two Factor Authentication for SSH in AWS EC2 - AWS MFA Setup

  1. Install EPEL Repo
  2. Install Google Authenticator on EC2 Instance
  3. Configure EC2 SSH to use Google Authentication module
    1. Setup Google Authenticator module
    2. Configure Auth methods in SSHd config file
  4. Configure Google Authenticator in Mobile & EC2
    1. Download and Install the GoogleAuthenticator in mobile
    2. Run Google Authenticator on EC2 and Get QR code
    3. Scan the Shown QR code in your Google Authenticator App
    4. Complete the Google Authenticator Setup in EC2
  5. Restart SSH Services on the EC2 instance
  6. Login to the server and validate
  7. Video GUIDE of how to perform these steps

 

Step1:  Install EPEL Repo on the EC2 instance

Google Authenticator is part of the EPEL repo and you should install the EPEL repo in your EC2 instance.

In my case, I am using Amazon EC2 Instance (OS) and I can download my EPEL 7 and install like this

sudo yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

 

Step2:  Install Google Authenticator on the EC2 instance

The following command would install the Google Authenticator.  The package name may vary if your Operating system is different so you can perform a quick search using yum search google to find the right package name

sudo yum install google-authenticator.x86_64 -y

 

Step3: Configure EC2 SSH to use Google Authentication module

In this step, we are going to perform some file modifications and editing to install google authentication and to setup MFA in this EC2 instance.

Step3a: Update the sshd PAM and install Google authenticator module

sudo vi /etc/pam.d/sshd

Add the following to the bottom of the file to use Google Authenticator. If there are service accounts or users who should be able to log in without MFA, add nullok at the end of the following statement. This will mean that users who don’t run Google Authenticator initialization won’t be asked for a second authentication.

auth required pam_google_authenticator.so or

auth required pam_google_authenticator.so nullok

Comment out the password requirement as we want to use only the key-based authentication.

#auth       substack     password-auth 

Don't forget to Save the file.

 

Step3b: Update the sshd configuration 

In this step we are going to tell sshd that we have one more level of multifactor authentication for the user to login along with the Keybased auth.

This step is to make sshd daemon to prompt the user for the Verification Code.

Edit the file as root

sudo vi /etc/ssh/sshd_config

 

Comment out the line which says ChallengeResponseAuthentication ‘no’ and uncomment the line which says ‘yes’.

ChallengeResponseAuthentication yes
#ChallengeResponseAuthentication no

Finally, we need to let sshd daemon know that it should ask the user for an SSH key and a verification code

AuthenticationMethods publickey,keyboard-interactive

Save the file.

Step4:  Configure Google Authenticator

It has two phases or two levels of configuration.

Step4a) Install Google Authenticator

First task has to be done at your mobile where you need to download the Google Authenticator App from play store or App store

Get it from Playstore 

Get it from App Store: 

Once you have downloaded keep it ready and come back to the server to perform the next task.

Step 4b) Run Google Authenticator on EC2 and Get QR code

Once you have the Google Authenticator installed in your mobile you are ready to perform the second phase of this configuration.

the second phase should be performed at the ec2 server.

 Note:

This step has to be executed as the user to whom you want to set the MFA or Multi factor authentication. ec2-user or root or ubuntu  or even as your personal userid which you have created in this EC2 instance.

 

run the following command as the user of your choice in my case it is ec2-user

 google-authenticator

After the first question, it would show you the QR code and the Secret Key

 

Step 4c) Scan the Shown QR code in your Google Authenticator App

Now take your mobile and go to Google Authenticator App and click on the plus sign on the bottom right corner

Click on the Scan a barcode option

AWS MFA SETUP

Scan the barcode

Once it has been added come back to your terminal

Step 4d) Complete the Google Authenticator Setup in EC2

Once you have crossed the QR code section, You would be prompted 4 more questions

Here are my answers. (Refer the following snippet)

[ec2-user@ip-172-31-83-181 ~]# google-authenticator

Do you want authentication tokens to be time-based (y/n) y

******* THERE WOULD BE A QR CODE DISPLAYED HERE ****
 

Your new secret key is: 2IAROUZWA6ZRSRRR89ZLYNZUC2A
Your verification code is 601376
Your emergency scratch codes are:
  85535499
  25397636
  98473698
  70322035
  60012461

Do you want me to update your "/root/.google_authenticator" file? (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, a new token is generated every 30 seconds by the mobile app.
In order to compensate for possible time-skew between the client and the server,
we allow an extra token before and after the current time. This allows for a
time skew of up to 30 seconds between authentication server and client. If you
experience problems with poor time synchronization, you can increase the window
from its default size of 3 permitted codes (one previous code, the current
code, the next code) to 17 permitted codes (the 8 previous codes, the current
code, and the 8 next codes). This will permit for a time skew of up to 4 minutes
between client and server.
Do you want to do so? (y/n) n

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting? (y/n) y

That's it. You have successfully set up Google Authenticator with AWS EC2 instance

 

Step5:  Restart SSH services  on the EC2 server

Now as the last step in our endeavour, we need to restart the sshd service as root

sudo service sshd restart

 

Step6: SSH to validate the AWS MFA setup.

Now use the same way you used to login to the EC2 instance.

If everything was done perfectly.  you would be prompted for a verification code

➜ ~ ssh -i ~/Downloads/mykeypair.pem ec2-user@3.95.13.122
Verification code:

 

Video Guide - VLOG

Conclusion

In this post, we have successfully learnt how to setup AWS MFA and enable MFA (Multi-factor authentication) for SSH in aws ec2 server using Google Authenticator.

Hope it helps.

If you like this article share it among your peers.

Follow me on Linkedin My Profile
Follow DevopsJunction onFacebook orTwitter
For more practical videos and tutorials. Subscribe to our channel

Buy Me a Coffee at ko-fi.com

Signup for Exclusive "Subscriber-only" Content

Loading