技术分享| 利用 Google MFA 实现 Amazon linux 2023 身份校验
作者:伊克罗德信息科技
- 2024-01-18 上海
本文字数:3416 字
阅读完需:约 11 分钟
Amazon linux 2023 AMI 登录启用 Google MFA
当前对于 EC2 的防护除了合理的管控密钥文件以及密码,那对于十分重要的 EC2 环境,是否可以再进行二次验证登录?本次将通过 Google MFA 来实现登录 EC2 的二次验证。
对于 linux amazom 2 这个 AMI,参考以下链接可以直接操作,其中主要注意要在需要开启 MFA 的用户执行 google-authenticator:
https://www.middlewareinventory.com/blog/aws-mfa-ssh-ec2-setup/
本次主要针对 linux amazon 2023 这个 AMI,这个 AMI 有做一些重大的更新,在修改 sshd_config 配置文件阶段存在一些差异
🔘 由于目前没有公开的 google MFA 的 RPM 包,需要自行通过 github 来编译下,先安装
# install the build tools
sudo yum install -y git rpmdevtools rpmlint autoconf automake make gcc libtool pam-devel.x86_64
# checkout the latest tag
git clone https://github.com/google/google-authenticator-libpam.git
cd google-authenticator-libpam
git checkout -b 1.09 tags/1.09
# run GA build script
contrib/build-rpm.sh 1
#cd rpm dir
cd contrib/_rpmbuild/RPMS/x86_64
#Finally, I saved the rpm file and destroyed the AL2023 development instance. Then I installed it with ...
sudo yum -y install google-authenticator-1.09-1.amzn2023.x86_64.rpm
复制代码
复制代码
🔘 修改与 SSH 相关的配置文件
sudo vi /etc/pam.d/sshd
##添加设定auth required pam_google_authenticator.so
##注释 auth substack password-auth
[ec2-user@ip-10-0-66-103 ~]$ cat /etc/pam.d/sshd
#%PAM-1.0
#auth substack password-auth
auth include postlogin
account required pam_sepermit.so
account required pam_nologin.so
account include password-auth
password include password-auth
auth required pam_google_authenticator.so
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session optional pam_motd.so
session include password-auth
session include postlogin
#修改sshd配置文件,这个文件仅在root可读,需要切换到root账号下
[ec2-user@ip-10-0-66-103 ~]$ sudo su -
Last login: Fri Sep 1 07:55:04 UTC 2023 on pts/0
[root@ip-10-0-66-103 ~]# cd /etc/ssh/sshd_config.d/
[root@ip-10-0-66-103 sshd_config.d]# ll
total 4
-rw-------. 1 root root 719 Jul 27 13:43 50-redhat.conf
##编辑50-redhat.conf
##修改ChallengeResponseAuthentication yes
##添加AuthenticationMethods publickey,keyboard-interactive
[root@ip-10-0-66-103 sshd_config.d]# cat 50-redhat.conf
# This system is following system-wide crypto policy. The changes to
# crypto properties (Ciphers, MACs, ...) will not have any effect in
# this or following included files. To override some configuration option,
# write it before this block or include it before this file.
# Please, see manual pages for update-crypto-policies(8) and sshd_config(5).
Include /etc/crypto-policies/back-ends/opensshserver.config
SyslogFacility AUTHPRIV
ChallengeResponseAuthentication yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
UsePAM yes
X11Forwarding yes
# It is recommended to use pam_motd in /etc/pam.d/sshd instead of PrintMotd,
# as it is more configurable and versatile than the built-in version.
PrintMotd no
AuthenticationMethods publickey,keyboard-interactive
检查配置
[root@ip-10-0-66-103 sshd_config.d]# sshd -t
复制代码
复制代码
🔘 在 ec2-user 用户配置 google-authenticator
[root@ip-10-0-66-103 ~]# su ec2-user
[ec2-user@ip-10-0-66-103 root]$ cd
[ec2-user@ip-10-0-66-103 ~]$
##执行google mfa程序,这里会有一个https的地址,需要复制该链接在浏览器中打开,注意要科学上网,然后使用google mfa软件扫描二维码,并输入第一个验证码
[ec2-user@ip-10-0-66-103 ~]$ google-authenticator
Do you want authentication tokens to be time-based (y/n) y
Warning: pasting the following URL into your browser exposes the OTP secret to Google:
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/ec2-user@ip-10-0-66-103.ap-northeast-1.compute.internal%3Fsecret%3DOLUFDKQCH4LFBGKF6KVH6UCI3I%26issuer%3Dip-10-0-66-103.ap-northeast-1.compute.internal
Failed to use libqrencode to show QR code visually for scanning.
Consider typing the OTP secret into your app manually.
Your new secret key is: OLUFDKQCH4LFBGKF6KVH6UCI3I
Enter code from app (-1 to skip): 875540
Code confirmed
Your emergency scratch codes are:
71036076
82603842
66272788
91250893
78133665
Do you want me to update your "/home/ec2-user/.google_authenticator" file? (y/n) y
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
By default, a new token is generated every 30 seconds by the mobile app.
In order to compensate for possible time-skew between the client and the server,
we allow an extra token before and after the current time. This allows for a
time skew of up to 30 seconds between authentication server and client. If you
experience problems with poor time synchronization, you can increase the window
from its default size of 3 permitted codes (one previous code, the current
code, the next code) to 17 permitted codes (the 8 previous codes, the current
code, and the 8 next codes). This will permit for a time skew of up to 4 minutes
between client and server.
Do you want to do so? (y/n) n
If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting? (y/n) y
[ec2-user@ip-10-0-66-103 ~]$
复制代码
对于以上含义,参考链接:
https://aws.amazon.com/cn/blogs/china/multi-factor-authentication-aws-security-startup/
🔘 重启 sshd 服务,并在其他机器通过证书登录进行测试
[ec2-user@ip-10-0-66-103 ~]$ sudo systemctl restart sshd
测试登录,在登录时,证书验证过后,会有“Verification code”提示进行输入MFA的code
[root@ip-172-26-1-16 ~]# ssh -i jeffrey-9121-dongjing.pem ec2-user@35.77.23.104
The authenticity of host '35.77.23.104 (35.77.23.104)' can't be established.
ECDSA key fingerprint is SHA256:/43Lpa+nHVXVHlCRRvrh6pRGPNIaYTvBhWxGpT+nlJo.
ECDSA key fingerprint is MD5:df:a2:6d:09:24:be:6f:32:ce:e4:5c:c1:7a:13:47:79.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '35.77.23.104' (ECDSA) to the list of known hosts.
Verification code:
, #_
~\_ ####_ Amazon Linux 2023
~~ \_#####\
~~ \###|
~~ \#/ ___ https://aws.amazon.com/linux/amazon-linux-2023
~~ V~' '->
~~~ /
~~._. _/
_/ _/
_/m/'
Last login: Fri Sep 1 08:37:34 2023 from 35.76.153.182
[ec2-user@ip-10-0-66-221 ~]$ ls
复制代码
划线
评论
复制
发布于: 2024-01-18阅读数: 3
伊克罗德信息科技
关注
是您值得信赖的一站式上云解决⽅案提供者 2023-11-26 加入
伊克罗德信息为一家 Born-In-Cloud 云原生的咨询服务公司,为企业提供多样化的上云解决方案,服务全球企业超过数千家,客户横跨互联网、媒体、游戏、电商零售、制造、汽车、金融科技、社交应用等行业。
评论