Ever hear of 3 factor authentication, well in it consists of the folllowing:
All people are aware of keypair and password authentication, but not to many know about MFA. Enabling MFA on your instance is quite easy and can be done it three simple steps: -Step one is to edit the /etc/pam.d/sshd file -Step two is to edit the /etc/ssh/sshd_config file -Step three is to install and configure google-authenticator on your instance Please note, before proceeding with the installing, I would recommend having the google-authenticator app installed on your mobile device first. Lets begin: To enable the google_authenticator application on your instance and mobile device, please do the following: -Connect to your instance via ssh and do the following: #Edit the sshd_config file: -sudo vim /etc/ssh/sshd_config All we doing here and replacing comments simply by taking them away from yes and adding them to no as seen below: # EC2 uses keys for remote access PasswordAuthentication yes #PermitEmptyPasswords no # Change to no to disable s/key passwords ChallengeResponseAuthentication yes #ChallengeResponseAuthentication no Once the comments are added, you will need to add the following line at the bottom of the sshd_config file. All the line does is specify the authentication methods you will be using: # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # PermitTTY no # ForceCommand cvs server AuthenticationMethods publickey,keyboard-interactive Save and exit the file. -Restart the ssh daemon: $sudo service sshd restart #The second file we will be editing is the pam.d/sshd file. Here we will edit the auth section and add "pam_google_authenticator.so nullok" and comment out substack as seen below: -sudo vi /etc/pam.d/sshd #%PAM-1.0 auth required pam_google_authenticator.so nullok auth required pam_sepermit.so #auth substack password-auth auth include postlogin Save and exit. -Install google_authenticator using the steps provided above $sudo yum install -y google_authenticator -Use the URL provided and paste it into a browser. -You will be presented with a barcode, using the google-authenticator app, scan the barcode -Lastly, complete the installation by selecting the following options:y, y, n, and then y. And thats it, you're done. Really easy to do. -Test access to the instance using a duplicate putty session -When prompted for a verification, use the code provided by the APP Your /var/log/secure logs should have the following entry: Sep 15 05:40:44 ip-10-0-0-0 sshd: Accepted keyboard-interactive/pam for ec2-user from 18.104.22.168 port 50594 ssh2 Sep 15 05:40:44 ip-10-0-0-0 sshd: pam_unix(sshd:session): session opened for user ec2-user by (uid=0)
No token or token has expired.