Skip to main content

MFA with Googleauthenticator for EC2 Instances. 

First Make sure that the server time and the mobile time as same.


root@ip-xx-xx-xx-xx:~# apt-get update
root@ip-xx-xx-xx-xx:~# apt-get upgrade

ubuntu@ip-xx-xx-xx-xx:~ sudo apt-get install libpam-google-authenticator

ubuntu@ip-xx-xx-xx-xx:~ sudo vi /etc/pam.d/sshd

At the start of the file, add the following line, then save and exit.


auth required pam_google_authenticator.so nullok






This will mean that users who don’t run Google Authenticator
initialization won’t be asked for a second authentication.

ubuntu@ip-xx-xx-xx-xx:~$ sudo vi /etc/ssh/sshd_config

PasswordAuthentication yes
ChallengeResponseAuthentication yes

wq!


ubuntu@ip-xx-xx-xx-xx:~$ google-authenticator

Do you want authentication tokens to be time-based (y/n) y

This will give a link like this , you can scan the QR code with the mobile.

https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/ubuntu@xx.xx.xx.xx

Do you want me to update your "/home/ubuntu/.google_authenticator" file
(y/n) y

your chances to notice or even prevent man-in-the-middle attacks (y/n) y

size of 1:30min to about 4min. Do you want to do so (y/n) n

Do you want to enable rate-limiting (y/n) n

sudo /etc/init.d/ssh restart



Now try to login to the server using the aws key.
jino@ndz-Satellite-C50-B:~$ ssh -i /home/jino/Downloads/mfatest.pem
ubuntu@xx.xx.xx.xx
Authenticated with partial success.
Verification code:
Password:

First one Verification code is the Google Authentication code from the
mobile. and the Password is the Password of the Ubuntu User.






















































Comments








Post a Comment













Popular posts from this blog



















Password reset too simplistic/systematic issue




























 Some time when we try to reset the password of our user in linux it will show as simple and systematic as below:   BAD PASSWORD: it is too simplistic/systematic   no matter how hard password you give it will show the same.   Solution:  #########   Check if your password is Ok with the below command,   jino@ndz~$ echo 'D7y8HK#56r89lj&8*&^%&^%#56rlKJ!789l' | cracklib-check  D7y8HK#56r89lj&8*&^%&^%#56rlKJ!789l: it is too simplistic/systematic    Now Create a password with the below command :    jino@ndz~$ echo $(tr -dc '[:graph:]'  7\xi%!W[y*S}g-H7W~gbEB4cv,9:E:K;   You can see that this password will be ok with the cracklib-check.   jino@ndz~$ echo '7\xi%!W[y*S}g-H7W~gbEB4cv,9:E:K;' | cracklib-check                 7\xi%!W[y*S}g-H7W~gbEB4cv,9:E:K;: OK     Thats all,   Thanks.  




















Post a Comment









Read more




























Setting /etc/hosts entries during the initial deployment of an Application using k8s yaml file




























 Some times we have to enter specific hosts file entries to the container running inside the POD of a kubernetes deployment during the initial deployment stage itself.   If these entries are not in place, the application env variables mentioned in the yaml file , as hostnames , will not resolve to the IP address and the application will not start properly.   So to make sure the /etc/hosts file entries are already there after the spin up of the POD you can add the below entries in your yaml file.   cat > api-deployment.yaml   apiVersion: apps/v1  kind: Deployment  metadata:  spec:    template:      metadata:      spec:        volumes:        containers:        - image: registryserver.jinojoseph.com:5000/jinojosephimage:v1.13          lifecycle:            postStart:              exec:                command:...




















Post a Comment









Read more




























Running K8s cluster service kubelet with Swap Memory Enabled




























 For enabling swap memory check the below link :   https://jinojoseph.blogspot.com/2019/10/enable-swap-memory-using-swapfile-in.html    # sudo vi /etc/systemd/system/kubelet.service.d/10-kubeadm.conf   Add the KUBELET_EXTRA_ARGS line as below:  ----------------------------------------   Environment="KUBELET_EXTRA_ARGS=--fail-swap-on=false"  ExecStart=  ExecStart=/usr/bin/kubelet $KUBELET_KUBECONFIG_ARGS $KUBELET_CONFIG_ARGS $KUBELET_KUBEADM_ARGS $KUBELET_EXTRA_ARGS    Now kubelet.service changed on disk. Run 'systemctl daemon-reload' to reload units   # sudo systemctl daemon-reload  # sudo systemctl restart kubelet  # sudo systemctl status kubelet   That is all cheers :p  




















Post a Comment









Read more