Ever hear of 3 factor authentication, well in it consists of the folllowing:

-1) Keypair

-2) MFA

-3)Password

All people are aware of keypair and password authentication, but not to many know about MFA. Enabling MFA on your instance is quite easy and can be done it three simple steps:

-Step one is to edit the /etc/pam.d/sshd file
-Step two is to edit the /etc/ssh/sshd_config file
-Step three is to install and configure google-authenticator on your instance

Please note, before proceeding with the installing, I would recommend having the google-authenticator app installed on your mobile device first.

Lets begin:

To enable the google_authenticator application on your instance and mobile device, please do the following:

-Connect to your instance via ssh and do the following:

#Edit the sshd_config file:

  -sudo vim /etc/ssh/sshd_config

All we doing here and replacing comments simply by taking them away from yes and adding them to no as seen below:

  # EC2 uses keys for remote access
  PasswordAuthentication yes
  #PermitEmptyPasswords no
  
  # Change to no to disable s/key passwords
  ChallengeResponseAuthentication yes
  #ChallengeResponseAuthentication no

 Once the comments are added, you will need to add the following line at the bottom of the sshd_config file. All the line does is specify the authentication methods you will be using:

 # Example of overriding settings on a per-user basis
 #Match User anoncvs
 #       X11Forwarding no
 #       AllowTcpForwarding no
 #       PermitTTY no
 #       ForceCommand cvs server
 AuthenticationMethods publickey,keyboard-interactive


Save and exit the file.


 -Restart the ssh daemon: 
$sudo service sshd restart 
#The second file we will be editing is the pam.d/sshd file. Here we will edit the auth section and add "pam_google_authenticator.so nullok" and comment out substack as seen below:

-sudo vi /etc/pam.d/sshd 

 #%PAM-1.0
 auth       required     pam_google_authenticator.so nullok
 auth       required     pam_sepermit.so
 #auth       substack     password-auth
 auth       include      postlogin

Save and exit.
 
-Install google_authenticator using the steps provided above 

 $sudo yum install -y google_authenticator

-Use the URL provided and paste it into a browser. 
-You will be presented with a barcode, using the google-authenticator app, scan the barcode
-Lastly, complete the installation by selecting the following options:y, y, n, and then y.

And thats it, you're done. Really easy to do. 
-Test access to the instance using a duplicate putty session
-When prompted for a verification, use the code provided by the APP 

Your /var/log/secure logs should have the following entry:

Sep 15 05:40:44 ip-10-0-0-0 sshd[31790]: Accepted keyboard-interactive/pam for ec2-user from 54.239.6.177 port 50594 ssh2
Sep 15 05:40:44 ip-10-0-0-0 sshd[31790]: pam_unix(sshd:session): session opened for user ec2-user by (uid=0)

One thought on “Enabling MFA on your Instance”

Leave a Reply

Your email address will not be published. Required fields are marked *