技术分享| 利用 Google MFA 实现 Amazon linux 2023 身份校验

# install the build toolssudo yum install -y git rpmdevtools rpmlint autoconf automake make gcc libtool pam-devel.x86_64
# checkout the latest taggit clone https://github.com/google/google-authenticator-libpam.gitcd google-authenticator-libpamgit checkout -b 1.09 tags/1.09
# run GA build scriptcontrib/build-rpm.sh 1
#cd rpm dircd contrib/_rpmbuild/RPMS/x86_64
#Finally, I saved the rpm file and destroyed the AL2023 development instance. Then I installed it with ...sudo yum -y install google-authenticator-1.09-1.amzn2023.x86_64.rpm

sudo vi /etc/pam.d/sshd##添加设定auth required pam_google_authenticator.so##注释 auth       substack     password-auth [ec2-user@ip-10-0-66-103 ~]$ cat /etc/pam.d/sshd#%PAM-1.0#auth       substack     password-authauth       include      postloginaccount    required     pam_sepermit.soaccount    required     pam_nologin.soaccount    include      password-authpassword   include      password-authauth       required     pam_google_authenticator.so# pam_selinux.so close should be the first session rulesession    required     pam_selinux.so closesession    required     pam_loginuid.so# pam_selinux.so open should only be followed by sessions to be executed in the user contextsession    required     pam_selinux.so open env_paramssession    required     pam_namespace.sosession    optional     pam_keyinit.so force revokesession    optional     pam_motd.sosession    include      password-authsession    include      postlogin
#修改sshd配置文件，这个文件仅在root可读，需要切换到root账号下[ec2-user@ip-10-0-66-103 ~]$ sudo su -Last login: Fri Sep  1 07:55:04 UTC 2023 on pts/0[root@ip-10-0-66-103 ~]# cd /etc/ssh/sshd_config.d/[root@ip-10-0-66-103 sshd_config.d]# lltotal 4-rw-------. 1 root root 719 Jul 27 13:43 50-redhat.conf
##编辑50-redhat.conf##修改ChallengeResponseAuthentication yes##添加AuthenticationMethods publickey,keyboard-interactive[root@ip-10-0-66-103 sshd_config.d]# cat 50-redhat.conf# This system is following system-wide crypto policy. The changes to# crypto properties (Ciphers, MACs, ...) will not have any effect in# this or following included files. To override some configuration option,# write it before this block or include it before this file.# Please, see manual pages for update-crypto-policies(8) and sshd_config(5).Include /etc/crypto-policies/back-ends/opensshserver.config
SyslogFacility AUTHPRIV
ChallengeResponseAuthentication yes
GSSAPIAuthentication yesGSSAPICleanupCredentials no
UsePAM yes
X11Forwarding yes
# It is recommended to use pam_motd in /etc/pam.d/sshd instead of PrintMotd,# as it is more configurable and versatile than the built-in version.PrintMotd noAuthenticationMethods publickey,keyboard-interactive
检查配置[root@ip-10-0-66-103 sshd_config.d]# sshd -t

[root@ip-10-0-66-103 ~]# su ec2-user[ec2-user@ip-10-0-66-103 root]$ cd[ec2-user@ip-10-0-66-103 ~]$##执行google mfa程序，这里会有一个https的地址，需要复制该链接在浏览器中打开，注意要科学上网，然后使用google mfa软件扫描二维码，并输入第一个验证码[ec2-user@ip-10-0-66-103 ~]$ google-authenticator
Do you want authentication tokens to be time-based (y/n) yWarning: pasting the following URL into your browser exposes the OTP secret to Google:  https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/ec2-user@ip-10-0-66-103.ap-northeast-1.compute.internal%3Fsecret%3DOLUFDKQCH4LFBGKF6KVH6UCI3I%26issuer%3Dip-10-0-66-103.ap-northeast-1.compute.internalFailed to use libqrencode to show QR code visually for scanning.Consider typing the OTP secret into your app manually.Your new secret key is: OLUFDKQCH4LFBGKF6KVH6UCI3IEnter code from app (-1 to skip): 875540Code confirmedYour emergency scratch codes are:  71036076  82603842  66272788  91250893  78133665
Do you want me to update your "/home/ec2-user/.google_authenticator" file? (y/n) y
Do you want to disallow multiple uses of the same authenticationtoken? This restricts you to one login about every 30s, but it increasesyour chances to notice or even prevent man-in-the-middle attacks (y/n) y
By default, a new token is generated every 30 seconds by the mobile app.In order to compensate for possible time-skew between the client and the server,we allow an extra token before and after the current time. This allows for atime skew of up to 30 seconds between authentication server and client. If youexperience problems with poor time synchronization, you can increase the windowfrom its default size of 3 permitted codes (one previous code, the currentcode, the next code) to 17 permitted codes (the 8 previous codes, the currentcode, and the 8 next codes). This will permit for a time skew of up to 4 minutesbetween client and server.Do you want to do so? (y/n) n
If the computer that you are logging into isn't hardened against brute-forcelogin attempts, you can enable rate-limiting for the authentication module.By default, this limits attackers to no more than 3 login attempts every 30s.Do you want to enable rate-limiting? (y/n) y[ec2-user@ip-10-0-66-103 ~]$

[ec2-user@ip-10-0-66-103 ~]$ sudo systemctl restart sshd
测试登录，在登录时，证书验证过后，会有“Verification code”提示进行输入MFA的code[root@ip-172-26-1-16 ~]# ssh -i jeffrey-9121-dongjing.pem ec2-user@35.77.23.104The authenticity of host '35.77.23.104 (35.77.23.104)' can't be established.ECDSA key fingerprint is SHA256:/43Lpa+nHVXVHlCRRvrh6pRGPNIaYTvBhWxGpT+nlJo.ECDSA key fingerprint is MD5:df:a2:6d:09:24:be:6f:32:ce:e4:5c:c1:7a:13:47:79.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added '35.77.23.104' (ECDSA) to the list of known hosts.Verification code:    ,     #_   ~\_  ####_        Amazon Linux 2023  ~~  \_#####\  ~~     \###|  ~~       \#/ ___   https://aws.amazon.com/linux/amazon-linux-2023   ~~       V~' '->    ~~~         /      ~~._.   _/         _/ _/       _/m/'Last login: Fri Sep  1 08:37:34 2023 from 35.76.153.182[ec2-user@ip-10-0-66-221 ~]$ ls