You are using AWS cloud with all the security modules enabled along with Cloudflare account. This alone does not keep your account safe from prying eyes. So making use of two two-factor authentication (2FA) is best way to secure your cloud account. Also 2FA is an very essential element of cybersecurity. These days with increase in work from home due to ongoing COVID-19 pandemic online security of your account is must. So lets start from basic to advanced on how to setup 2FA on AWS cloud server running Ubuntu system.

What is Two Factor Authentication

There are different authenticator services such as Authy, Google Authenticator and Microsoft Authenticator. It is difficult to to say which is best 2FA authentication as each one has their own advantages. Authy has good UI, google is easy to use, while if you are with Azure cloud or Microsoft account then it makes sense to use Microsoft auth service. Please note there is difference in 2FA and MFA(multi factor authentication). In this post we will be talking about 2FA – two factor authentication.

There are various ways to protect accounts via two-factor authentication, one-time passwords ie OTP, verification codes, QR codes, hardware tokens or keys. Each time you log into your system, you will now be prompted for your TOTP code (time based one-time-password) or HOTP (counter-based).

Google Authenticator Setup For AWS Cloud

Install google-authenticator

This step is simple installation step.. SSH to your AWS cloud, download google auth package from github.

$ sudo apt install libpam-google-authenticator
Reading package lists… Done
Building dependency tree
Reading state information… Done
libpam-google-authenticator is already the newest version (20170702-1).

This will install google authenticator on your AWS cloud server running Ubuntu operating system. Open file editor and update ‘common-auth’ file

$ sudo vi /etc/pam.d/common-auth

Add below line at end of the file, This will allow users to log in to cloud server without auth key/password. This is generally done during initial setup days.

auth required pam_google_authenticator.so nullok

There are few more auth module options on google’s github page you can setup as per your need and accordingly set options given to google-authenticator.

One Time Google Auth Configuration On Cloud Server

One installation is complete, setup google-authenticator for the user. This step is required for all the users to setup the two step authentication. From command prompt issue following command and follow the steps.

$ google-authenticator

Do you want me to update your "/home/ubuntu/.google_authenticator" file? (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, a new token is generated every 30 seconds by the mobile app.
In order to compensate for possible time-skew between the client and the server,
we allow an extra token before and after the current time. This allows for a
time skew of up to 30 seconds between authentication server and client. If you
experience problems with poor time synchronization, you can increase the window
from its default size of 3 permitted codes (one previous code, the current
code, the next code) to 17 permitted codes (the 8 previous codes, the current
code, and the 8 next codes). This will permit for a time skew of up to 4 minutes
between client and server.
Do you want to do so? (y/n) y

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting? (y/n) y

One Time Auth Setting on Your Smart Phone

Install the google TFA authenticator application form app store on your smart phone. Configure and setup google authenticator app.

Open google authenticator app, setup your first account, name the account as aws cloud server, scan QR code or enter setup key.

SSH Configurations on AWS Server

This is required step to enable two factor authentication while login to the server otherwise you wont be able to ssh to server. Enable PAM module, on most of the AWS server, by editing PAM configuration for the Secure Shell service file.

$sudo vi /etc/pam.d/sshd

End of this file add google.auth module.

 Also in /etc/pam.d/sshd make sure the line #@include common-auth has the hashtag at the front to comment it out, this will ensure it will not prompt for password. Now Change Challenge Response Authentication to yes to enable challenge-response passwords to yes in ‘sshd_config’ file.

$sudo vi /etc/ssh/sshd_config

ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactive

Now, restart the sshd service and you are all set.

$ sudo systemctl restart sshd

Note:

Before you close the current terminal, open new terminal and try to login. If everything is good, you can logout from current terminal session, else follow above steps.

Hope you have enjoyed reading this free guide on How To Setup 2FA On AWS Cloud Server.