Last week I came across enabling Multi Factor Authentication for EC2 instances, so there will be extra level of verification code need to provided along with password to authenticate and login into EC2 instances. When I tried to implement this the information was spread across multiple blogs and the google authenticator link was not working as the blogs were all updated in the past.
It took me 2 hours to finally put all the bits together and activate the authentication.
Below are the steps I followed to implement MFA authentication successfully.
My assumption is that you already have a EC2 instance created. If so then Login into it and switch to root.
Then install the pam-devel, make, gcc-c++ and wget packages.
Linux uses PAM (Pluggable Authentication Module) to integrate the Google Authenticator MFA. So make sure that PAM and PAM-Devel packages are installed on your system.
[ec2-user@ip-192-26-10-97 ~]$ sudo su – [root@ip-192-26-10-97 ~]# yum install pam-devel make gcc-c++ wget Loaded plugins: priorities, update-motd, upgrade-helper amzn-main/latest | 2.1 kB 00:00 amzn-updates/latest | 2.3 kB 00:00 Package 1:make-3.82-21.10.amzn1.x86_64 already installed and latest version Package wget-1.18-1.18.amzn1.x86_64 already installed and latest version Resolving Dependencies Dependency Updated: glibc.x86_64 0:2.17-157.169.amzn1 glibc-common.x86_64 0:2.17-157.169.amzn1 Complete! [root@ip-192-26-10-97 ~]#
Download the google authenticator source file using wget and install it
Download location: http://www.filewatcher.com/m/libpam-google-authenticator-1.0-source.tar.bz2.32708-0.html
[root@ip-192-26-10-97 ~]# wget ftp://ftp.netbsd.org/pub/pkgsrc/distfiles/libpam-google-authenticator-1.0-source.tar.bz2 --2017-03-01 10:15:55-- ftp://ftp.netbsd.org/pub/pkgsrc/distfiles/libpam-google-authenticator-1.0-source.tar.bz2 => ‘libpam-google-authenticator-1.0-source.tar.bz2’ Resolving ftp.netbsd.org (ftp.netbsd.org)... 22.214.171.124, 2001:470:a085:999::21 Connecting to ftp.netbsd.org (ftp.netbsd.org)|126.96.36.199|:21... connected. Logging in as anonymous ... Logged in! ==> SYST ... done. ==> PWD ... done. ==> TYPE I ... done. ==> CWD (1) /pub/pkgsrc/distfiles ... done. ==> SIZE libpam-google-authenticator-1.0-source.tar.bz2 ... 32708 ==> PASV ... done. ==> RETR libpam-google-authenticator-1.0-source.tar.bz2 ... done. Length: 32708 (32K) (unauthoritative) libpam-google-authenticator-1.0-source. 100%[============================================================================>] 31.94K 37.2KB/s in 0.9s 2017-03-01 10:16:00 (37.2 KB/s) - ‘libpam-google-authenticator-1.0-source.tar.bz2’ saved  [root@ip-172-31-24-97 ~]#
Extract the downloaded file and install it using below command
tar -xvf libpam-google-authenticator-1.0-source.tar.bz2 cd libpam-google-authenticator-1.0 make make install
If you want more information as what these commands does refer: https://robots.thoughtbot.com/the-magic-behind-configure-make-make-install
Make changes to the PAM and SSH configuration files to enable the Multi-Factor Authentication over SSH logins. Add below line to file /etc/pam.d/sshd
auth required pam_google_authenticator.so
In /etc/ssh/sshd_config, change the two parameters to yes and save it
PasswordAuthentication yes ChallengeResponseAuthentication yes
Restart the sshd service
Next relogin again into EC2 instance
Add new user to the group
[root@ip-192-26-10-97 ~]# sudo useradd -s /bin/bash -m -d /home/testuser1 -g root testuser1
Change password of the new user
[ec2-user@ip-192-26-10-97 ~]$ sudo passwd testuser1 Changing password for user testuser1. New password: Retype new password: passwd: all authentication tokens updated successfully. [ec2-user@ip-192-26-10-97 ~]$
Add user to sudoers file by using command sudo visudo
testuser1 ALL=(ALL:ALL) ALL
Restart the sshd service
So now we have the new user created, you can try to login using the user credentials and you will prompted for password only.
Next you will have to switch to the new user and enable MFA for this user by giving command as google-authenticator
[root@ip-192-26-10-97 ~]# su - testuser1 [testuser1@ip-192-26-10-97 ~]$ google-authenticator Do you want authentication tokens to be time-based (y/n) y https://www.google.com/chart?chs=200x200&chld=M|0&cht=yr&nnhl=otpauth://totp/testuser1@ip-172-31-24-97%3Fsecret%3DXGR5RZHUEE7CIOXN Your new secret key is: XGR8RXHUHFGQ7CROZN Your verification code is 533145 Your emergency scratch codes are: 14263591 47294949 18396452 85438789 16308009 Do you want me to update your "/home/testuser1/.google_authenticator" file (y/n) y Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y By default, tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of 1:30min to about 4min. Do you want to do so (y/n) y If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n) y [testuser1@ip-192-26-10-97 ~]$
So now we have the MFA enabled for our required user.
Next download the google-authenticator app on your android or IOS mobile and give the account name as
enter the secret key which gets generated when you run the google-authenticator command. Voila!! you should now see a verification code.
Login to EC2 instance using new user credentials and it will ask for verification code.