Amazon linux 2023 AMI登录启用Google MFA
当前对于EC2的防护除了合理的管控密钥文件以及密码,那对于十分重要的EC2环境,是否可以再进行二次验证登录?本次将通过Google MFA来实现登录EC2的二次验证。
对于linux amazom 2这个AMI,参考以下链接可以直接操作,其中主要注意要在需要开启MFA的用户执行google-authenticator:
Enabling Two Factor Authentication for EC2 SSH - AWS MFA Setup
本次主要针对linux amazon 2023这个AMI,这个AMI有做一些重大的更新,在修改sshd_config配置文件阶段存在一些差异
🔘 由于目前没有公开的google MFA的RPM包,需要自行通过github来编译下,先安装
# install the build tools
sudo yum install -y git rpmdevtools rpmlint autoconf automake make gcc libtool pam-devel.x86_64
# checkout the latest tag
git clone https://github.com/google/google-authenticator-libpam.git
cd google-authenticator-libpam
git checkout -b 1.09 tags/1.09
# run GA build script
contrib/build-rpm.sh 1
#cd rpm dir
cd contrib/_rpmbuild/RPMS/x86_64
#Finally, I saved the rpm file and destroyed the AL2023 development instance. Then I installed it with ...
sudo yum -y install google-authenticator-1.09-1.amzn2023.x86_64.rpm🔘 修改与SSH相关的配置文件
sudo vi /etc/pam.d/sshd
##添加设定auth required pam_google_authenticator.so
##注释 auth substack password-auth
[ec2-user@ip-10-0-66-103 ~]$ cat /etc/pam.d/sshd
#%PAM-1.0
#auth substack password-auth
auth include postlogin
account required pam_sepermit.so
account required pam_nologin.so
account include password-auth
password include password-auth
auth required pam_google_authenticator.so
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session optional pam_motd.so
session include password-auth
session include postlogin
#修改sshd配置文件,这个文件仅在root可读,需要切换到root账号下
[ec2-user@ip-10-0-66-103 ~]$ sudo su -
Last login: Fri Sep 1 07:55:04 UTC 2023 on pts/0
[root@ip-10-0-66-103 ~]# cd /etc/ssh/sshd_config.d/
[root@ip-10-0-66-103 sshd_config.d]# ll
total 4
-rw-------. 1 root root 719 Jul 27 13:43 50-redhat.conf
##编辑50-redhat.conf
##修改ChallengeResponseAuthentication yes
##添加AuthenticationMethods publickey,keyboard-interactive
[root@ip-10-0-66-103 sshd_config.d]# cat 50-redhat.conf
# This system is following system-wide crypto policy. The changes to
# crypto properties (Ciphers, MACs, ...) will not have any effect in
# this or following included files. To override some configuration option,
# write it before this block or include it before this file.
# Please, see manual pages for update-crypto-policies(8) and sshd_config(5).
Include /etc/crypto-policies/back-ends/opensshserver.config
SyslogFacility AUTHPRIV
ChallengeResponseAuthentication yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
UsePAM yes
X11Forwarding yes
# It is recommended to use pam_motd in /etc/pam.d/sshd instead of PrintMotd,
# as it is more configurable and versatile than the built-in version.
PrintMotd no
AuthenticationMethods publickey,keyboard-interactive
检查配置
[root@ip-10-0-66-103 sshd_config.d]# sshd -t🔘 在ec2-user用户配置google-authenticator
[root@ip-10-0-66-103 ~]# su ec2-user
[ec2-user@ip-10-0-66-103 root]$ cd
[ec2-user@ip-10-0-66-103 ~]$
##执行google mfa程序,这里会有一个https的地址,需要复制该链接在浏览器中打开,注意要科学上网,然后使用google mfa软件扫描二维码,并输入第一个验证码
[ec2-user@ip-10-0-66-103 ~]$ google-authenticator
Do you want authentication tokens to be time-based (y/n) y
Warning: pasting the following URL into your browser exposes the OTP secret to Google:
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/ec2-user@ip-10-0-66-103.ap-northeast-1.compute.internal%3Fsecret%3DOLUFDKQCH4LFBGKF6KVH6UCI3I%26issuer%3Dip-10-0-66-103.ap-northeast-1.compute.internal
Failed to use libqrencode to show QR code visually for scanning.
Consider typing the OTP secret into your app manually.
Your new secret key is: OLUFDKQCH4LFBGKF6KVH6UCI3I
Enter code from app (-1 to skip): 875540
Code confirmed
Your emergency scratch codes are:
71036076
82603842
66272788
91250893
78133665
Do you want me to update your "/home/ec2-user/.google_authenticator" file? (y/n) y
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
By default, a new token is generated every 30 seconds by the mobile app.
In order to compensate for possible time-skew between the client and the server,
we allow an extra token before and after the current time. This allows for a
time skew of up to 30 seconds between authentication server and client. If you
experience problems with poor time synchronization, you can increase the window
from its default size of 3 permitted codes (one previous code, the current
code, the next code) to 17 permitted codes (the 8 previous codes, the current
code, and the 8 next codes). This will permit for a time skew of up to 4 minutes
between client and server.
Do you want to do so? (y/n) n
If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting? (y/n) y
[ec2-user@ip-10-0-66-103 ~]$对于以上含义,参考链接:
https://aws.amazon.com/cn/blogs/china/multi-factor-authentication-aws-security-startup/
🔘 重启sshd服务,并在其他机器通过证书登录进行测试
[ec2-user@ip-10-0-66-103 ~]$ sudo systemctl restart sshd
测试登录,在登录时,证书验证过后,会有“Verification code”提示进行输入MFA的code
[root@ip-172-26-1-16 ~]# ssh -i jeffrey-9121-dongjing.pem ec2-user@35.77.23.104
The authenticity of host '35.77.23.104 (35.77.23.104)' can't be established.
ECDSA key fingerprint is SHA256:/43Lpa+nHVXVHlCRRvrh6pRGPNIaYTvBhWxGpT+nlJo.
ECDSA key fingerprint is MD5:df:a2:6d:09:24:be:6f:32:ce:e4:5c:c1:7a:13:47:79.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '35.77.23.104' (ECDSA) to the list of known hosts.
Verification code:
, #_
~\_ ####_ Amazon Linux 2023
~~ \_#####\
~~ \###|
~~ \#/ ___ https://aws.amazon.com/linux/amazon-linux-2023
~~ V~' '->
~~~ /
~~._. _/
_/ _/
_/m/'
Last login: Fri Sep 1 08:37:34 2023 from 35.76.153.182
[ec2-user@ip-10-0-66-221 ~]$ ls关于伊克罗德信息
伊克罗德信息为一家 Born-In-Cloud 云原生的咨询服务公司,为企业提供云端架构咨询、项目迁移、混合云环境托管、培训与多样化的上云解决方案,服务全球企业超过数千家,客户横跨互联网、媒体、游戏、电商零售、制造、汽车、金融科技、社交应用等行业。在全球云服务顾问咨询产业中,伊克罗德信息是长期值得信赖的一站式上云解决⽅案提供者。
扫一扫
346
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
