MFA for EC2 Instance

Multifactor Authentication (MFA)

Multifactor authentication (MFA) is a security system in which more than one form of authentication is implemented to verify the legitimacy of a transaction. The goal of MFA is to create a layered defense and make it more difficult for an unauthorized person to access a computer system or network.

By default, SSH already uses a secure data communication between remote machines, but if you want to add some extra security layer to your SSH connections, you can add a Google Authenticator (two-factor authentication) module that allow you to enter a random one-time password (TOTP) verification code while connecting to SSH servers. You’ll have to enter the verification code from your smartphone or PC when you connect.The Google Authenticator is an open-source module that includes implementations of one-time passcodes (TOTP) verification token developed by Google.

Installing Google Authenticator Module

1. Login the server and install following PAM libraries along with development libraries that are needed for the PAM module to work correctly with Google authenticator module.

On Red Hat, CentOS and Fedora systems install the ‘pam-devel‘ package.

# yum install pam-devel make gcc-c++ wget

On Ubuntu, Linux Mint and Debian systems install ‘libpam0g-dev‘ package.

# apt-get install libpam0g-dev make gcc-c++ wget

2. Download and extract Google authenticator module under Home directory (assume you are already logged in home directory of root).

Please follow the below steps.

# cd /root
# wget https://google-authenticator.googlecode.com/files/libpam-google-authenticator-1.0-source.tar.bz2
# tar -xvf libpam-google-authenticator-1.0-source.tar.bz2

Follow the below steps to compile and install Google authenticator module on the system.

# cd libpam-google-authenticator-1.0
# make
# make install
# google-authenticator

When done, login as the user for whom the two-factor authentication is required (default root), run the google-authenticator application, which will create a new secret key in home directory:

# google-authenticator
https://www.google.com/chart?djf;elfjv;lkafjfekevkgfdktdfeogg
Your new secret key is: SAEDFA;DSLFE;LJF
Your verification code is 35837582
Your emergency scratch codes are:
68569583
26452453
54545455
57575757
77777775
Do you want me to update your “~/.google_authenticator” file (y/n) y
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) n
If the computer that you are logging into isn’t hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y

Then in your browser, load the URL noted above; it will show a QRCode that you can scan into your phone using the Google Authenticator application for iPhone, Android, or Blackberry. If you already have a Google Authenticator token being generated on your phone, you can add a new one and it will display them both (and distinguish them by name).

3. Configuring SSH to use Google Authenticator Module

*) Open the PAM configuration file ‘/etc/pam.d/sshd‘ and add the following line to the top of the file

auth       required     pam_google_authenticator.so

*)Now open the SSH configuration file ‘/etc/ssh/sshd_config‘ and scroll to fine the line that says.

ChallengeResponseAuthentication no  — change it to yes

*)After that restart SSH service to take new changes.

# /etc/init.d/sshd restart

When this is done, try logging into the system via SSH:

% ssh server
Verification code:
Password:
Last login: Tue May 10 11:54:21 2011 from client.example.com

You have to provide the verification code as presented by your phone in order to log in. Even if the password is known, without the verification code, the login will fail. Also note that you will be unable to use this if you use ssh private/public keys as the two are mutually exclusive (key-based logins get a passphrase prompt client-side and never provide a password to the server).

Example –

Note- I am executing this command as a cf user.

[cf@ip-0.0.0.0 ~]$ google-authenticator

Do you want authentication tokens to be time-based (y/n) y
https://www.g%3Fsecret666666666666
Your new secret key is: XU2ZPOJ7C23CS7DP
Your verification code is 46666
Your emergency scratch codes are:
52455455
98343434
59187878
56787878
79787878

Do you want me to update your “/home/cf/.google_authenticator” file (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) y

If the computer that you are logging into isn’t hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y
[cf@ip-0.0.0.0 ~]$

Next time when you will login to the machine.

1. It will ask fot the verification code.
2. Then it will ask for the password.

This is the complete information for setting up the Multifactor authentication (MFA).

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s