Friday, May 15, 2015

Enabling multi-factor authentication (MFA) in Amazon EC2 linux instance using TOTP codes and Google Authenticator

For jump server boxes, you will want to enable multi-factor authentication using keys and time based one time password (TOTP - https://tools.ietf.org/html/rfc6238). You can either use google authenticator (which recently became closed source) or FreeOTP (from RedHat). You can follow the steps below:-

1. Install the dependent libraries

*************
$sudo yum install gcc autoconf automake libtool pam-devel
*************

2. Next you can decide whether to install google authenticator from source or from the package repository (I recommend the pkg repository)

*************
$sudo yum install -y google-authenticator
*************
NOTE - If you are installing from source, you have to follow the below steps
*************
$git clone https://github.com/google/google-authenticator.git
$cd /home/ec2-user/google-authenticator/libpam
$./bootstrap.sh
$./configure
$make
$sudo make install

NOTE - The result of "make install" adds the pam_google_authenticator to /usr/lib/security folder, but you will need to copy this file to /lib64/security/.. folder
*************

3. After you have successfully installed, you should find the google-authenticator shared object library in the below location

*************
$ sudo find ./* -name pam_google_authenticator.so
./lib64/security/pam_google_authenticator.so
*************

4. You can then create the OTP key

*************
$google-authenticator

Do you want authentication tokens to be time-based (y/n) y

Your new secret key is: xyz
Your verification code is xyz
Your emergency scratch codes are:
  690-----
  285-----
  670-----
  629-----
  538-----

Do you want me to update your "/home/ec2-user/.google_authenticator" file (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) 

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) y

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y
*************

NOTE - Enter the "Secret key" generated above in your google-authenticator mobile app or desktop app to generate the time based codes.

5. Add the below line at the top of /etc/pam.d/sshd file

*************
$sudo vi /etc/pam.d/sshd
auth       required     pam_google_authenticator.so
*************

6. Comment out the password authentication line in /etc/pam.d/sshd file

*************
$sudo vi /etc/pam.d/sshd
#auth       substack     password-auth
*************

7. Add the below SSH properties to /etc/ssh/sshd_config file

*************
$sudo vi /etc/ssh/sshd_config
PubkeyAuthentication yes
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactive
*************
NOTE - The "AuthenticationMethods" directive for multiple forms of identity may work only starting with OpenSSH_6.2 onwards

8. Restart the SSH daemon

*************
$sudo service sshd restart

or 

$sudo systemctl restart sshd.service
*************

Now you should be asked for a verification code upon login:-

************
$ssh -i testmfa.pem ec2-user@54.x.y.z
Authenticated with partial success.
Verification code:
Last login: Sat May 16 05:45:25 2015 from ....
************

No comments:

Post a Comment