技术分享| 利用Google MFA实现Amazon linux 2023身份校验

2024-01-18 16:00


Amazon linux 2023 AMI登录启用Google MFA

当前对于EC2的防护除了合理的管控密钥文件以及密码,那对于十分重要的EC2环境,是否可以再进行二次验证登录?本次将通过Google MFA来实现登录EC2的二次验证。


对于linux amazom 2这个AMI,参考以下链接可以直接操作,其中主要注意要在需要开启MFA的用户执行google-authenticator:

https://www.middlewareinventory.com/blog/aws-mfa-ssh-ec2-setup/


本次主要针对linux amazon 2023这个AMI,这个AMI有做一些重大的更新,在修改sshd_config配置文件阶段存在一些差异

由于目前没有公开的google MFA的RPM包,需要自行通过github来编译下,先安装


  • # install the build tools
    sudo yum install -y git rpmdevtools rpmlint autoconf automake make gcc libtool pam-devel.x86_64

    # checkout the latest tag
    git clone https://github.com/google/google-authenticator-libpam.git
    cd google-authenticator-libpam
    git checkout -b 1.09 tags/1.09

    # run GA build script
    contrib/build-rpm.sh 1

    #cd rpm dir
    cd contrib/_rpmbuild/RPMS/x86_64

    #Finally, I saved the rpm file and destroyed the AL2023 development instance. Then I installed it with ...
    sudo yum -y install google-authenticator-1.09-1.amzn2023.x86_64.rpm


- 上下滑动查看 -


修改与SSH相关的配置文件

sudo vi /etc/pam.d/sshd

##添加设定auth required pam_google_authenticator.so
##注释 auth       substack     password-auth
[ec2-user@ip-10-0-66-103 ~]$ cat /etc/pam.d/sshd
#%PAM-1.0
#auth       substack     password-auth
auth       include      postlogin
account    required     pam_sepermit.so
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
auth       required     pam_google_authenticator.so
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    optional     pam_motd.so
session    include      password-auth
session    include      postlogin

#修改sshd配置文件,这个文件仅在root可读,需要切换到root账号下
[ec2-user@ip-10-0-66-103 ~]$ sudo su -
Last login: Fri Sep   1 07:55:04 UTC 2023 on pts/0
[root@ip-10-0-66-103 ~]# cd /etc/ssh/sshd_config.d/
[root@ip-10-0-66-103 sshd_config.d]# ll
total 4
-rw-------. 1 root root 719 Jul 27 13:43 50-redhat.conf

##编辑50-redhat.conf
##修改ChallengeResponseAuthentication yes
##添加AuthenticationMethods publickey,keyboard-interactive
[root@ip-10-0-66-103 sshd_config.d]# cat 50-redhat.conf
# This system is following system-wide crypto policy. The changes to
# crypto properties (Ciphers, MACs, ...) will not have any effect in
# this or following included files. To override some configuration option,
# write it before this block or include it before this file.
# Please, see manual pages for update-crypto-policies(8) and sshd_config(5).
Include /etc/crypto-policies/back-ends/opensshserver.config

SyslogFacility AUTHPRIV

ChallengeResponseAuthentication yes

GSSAPIAuthentication yes
GSSAPICleanupCredentials no

UsePAM yes

X11Forwarding yes

# It is recommended to use pam_motd in /etc/pam.d/sshd instead of PrintMotd,
# as it is more configurable and versatile than the built-in version.
PrintMotd no
AuthenticationMethods publickey,keyboard-interactive

检查配置
[root@ip-10-0-66-103 sshd_config.d]# sshd -t

- 上下滑动查看 -


在ec2-user用户配置google-authenticator


[root@ip-10-0-66-103 ~]# su ec2-user
[ec2-user@ip-10-0-66-103 root]$ cd
[ec2-user@ip-10-0-66-103 ~]$
##执行google mfa程序,这里会有一个https的地址,需要复制该链接在浏览器中打开,注意要科学上网,然后使用google mfa软件扫描二维码,并输入第一个验证码
[ec2-user@ip-10-0-66-103 ~]$ google-authenticator

Do you want authentication tokens to be time-based (y/n) y
Warning: pasting the following URL into your browser exposes the OTP secret to Google:
  https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/ec2-user@ip-10-0-66-103.ap-northeast-1.compute.internal%3Fsecret%3DOLUFDKQCH4LFBGKF6KVH6UCI3I%26issuer%3Dip-10-0-66-103.ap-northeast-1.compute.internal
Failed to use libqrencode to show QR code visually for scanning.
Consider typing the OTP secret into your app manually.
Your new secret key is: OLUFDKQCH4LFBGKF6KVH6UCI3I
Enter code from app (-1 to skip): 875540
Code confirmed
Your emergency scratch codes are:
  71036076
  82603842
  66272788
  91250893
  78133665

Do you want me to update your "/home/ec2-user/.google_authenticator" file? (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, a new token is generated every 30 seconds by the mobile app.
In order to compensate for possible time-skew between the client and the server,
we allow an extra token before and after the current time. This allows for a
time skew of up to 30 seconds between authentication server and client. If you
experience problems with poor time synchronization, you can increase the window
from its default size of 3 permitted codes (one previous code, the current
code, the next code) to 17 permitted codes (the 8 previous codes, the current
code, and the 8 next codes). This will permit for a time skew of up to 4 minutes
between client and server.
Do you want to do so? (y/n) n

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting? (y/n) y
[ec2-user@ip-10-0-66-103 ~]$

- 上下滑动查看 -

对于以上含义,参链接:

https://aws.amazon.com/cn/blogs/china/multi-factor-authentication-aws-security-startup/


重启sshd服务,并在其他机器通过证书登录进行测试


[ec2-user@ip-10-0-66-103 ~]$ sudo systemctl restart sshd

测试登录,在登录时,证书验证过后,会有Verification code提示进行输入MFA的code
[root@ip-172-26-1-16 ~]# ssh -i jeffrey-9121-dongjing.pem ec2-user@35.77.23.104
The authenticity of host '35.77.23.104 (35.77.23.104)' can't be established.
ECDSA key fingerprint is SHA256:/43Lpa+nHVXVHlCRRvrh6pRGPNIaYTvBhWxGpT+nlJo.
ECDSA key fingerprint is MD5:df:a2:6d:09:24:be:6f:32:ce:e4:5c:c1:7a:13:47:79.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '35.77.23.104' (ECDSA) to the list of known hosts.
Verification code:
   ,     #_
   ~\_   ####_        Amazon Linux 2023
  ~~   \_#####\
  ~~     \###|
  ~~       \#/ ___   https://aws.amazon.com/linux/amazon-linux-2023
   ~~       V~' '->
    ~~~         /
      ~~._.   _/
         _/ _/
       _/m/'
Last login: Fri Sep   1 08:37:34 2023 from 35.76.153.182
[ec2-user@ip-10-0-66-221 ~]$ ls

- 上下滑动查看 -

云代理伙伴
扫描关注微信公众号
获取更多云端资讯
联系我们
——

模板表单-2(1)

  • 姓名*

  • 电话*

  • 邮箱*

  • 职称*

  • 公司*

  • 地址*

  • 需求*

  • * 点击提交,即表示您同意我们存储和处理您提交的个人信息,以向您提供所请求的内容,该信息仅供公司提供服务使用。您的信息受到相关法律的安全保护。