Skip to main content

MFA with Googleauthenticator for EC2 Instances. 

First Make sure that the server time and the mobile time as same.


root@ip-xx-xx-xx-xx:~# apt-get update
root@ip-xx-xx-xx-xx:~# apt-get upgrade

ubuntu@ip-xx-xx-xx-xx:~ sudo apt-get install libpam-google-authenticator

ubuntu@ip-xx-xx-xx-xx:~ sudo vi /etc/pam.d/sshd

At the start of the file, add the following line, then save and exit.


auth required pam_google_authenticator.so nullok






This will mean that users who don’t run Google Authenticator
initialization won’t be asked for a second authentication.

ubuntu@ip-xx-xx-xx-xx:~$ sudo vi /etc/ssh/sshd_config

PasswordAuthentication yes
ChallengeResponseAuthentication yes

wq!


ubuntu@ip-xx-xx-xx-xx:~$ google-authenticator

Do you want authentication tokens to be time-based (y/n) y

This will give a link like this , you can scan the QR code with the mobile.

https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/ubuntu@xx.xx.xx.xx

Do you want me to update your "/home/ubuntu/.google_authenticator" file
(y/n) y

your chances to notice or even prevent man-in-the-middle attacks (y/n) y

size of 1:30min to about 4min. Do you want to do so (y/n) n

Do you want to enable rate-limiting (y/n) n

sudo /etc/init.d/ssh restart



Now try to login to the server using the aws key.
jino@ndz-Satellite-C50-B:~$ ssh -i /home/jino/Downloads/mfatest.pem
ubuntu@xx.xx.xx.xx
Authenticated with partial success.
Verification code:
Password:

First one Verification code is the Google Authentication code from the
mobile. and the Password is the Password of the Ubuntu User.










































Comments








Post a Comment













Popular posts from this blog



















Password reset too simplistic/systematic issue




























 Some time when we try to reset the password of our user in linux it will show as simple and systematic as below:   BAD PASSWORD: it is too simplistic/systematic   no matter how hard password you give it will show the same.   Solution:  #########   Check if your password is Ok with the below command,   jino@ndz~$ echo 'D7y8HK#56r89lj&8*&^%&^%#56rlKJ!789l' | cracklib-check  D7y8HK#56r89lj&8*&^%&^%#56rlKJ!789l: it is too simplistic/systematic    Now Create a password with the below command :    jino@ndz~$ echo $(tr -dc '[:graph:]'  7\xi%!W[y*S}g-H7W~gbEB4cv,9:E:K;   You can see that this password will be ok with the cracklib-check.   jino@ndz~$ echo '7\xi%!W[y*S}g-H7W~gbEB4cv,9:E:K;' | cracklib-check                 7\xi%!W[y*S}g-H7W~gbEB4cv,9:E:K;: OK     Thats all,   Thanks.  




















Post a Comment









Read more




























Nginx Ingress controller setup in K8S MultiNode Cluster with HA-Proxy as External LB




























 https://github.com/nginxinc/kubernetes-ingress/blob/master/docs/installation.md    Pre-requisites:  ###############  >> K8s cluster setup with 1 Master and 2 Worker nodes.  >> Deployed an application with Deployment name "client-sb"  >> Also you need to create an HA-proxy server by spinning an Ec2 instance.   After login the Ha-proxy server.   # yum install haproxy   # vi /etc/haproxy/haproxy.cfg   delete everything after the global and defaults starting from "Main front-end which proxys to the backend"   paste the below code in the end of the file:  ---------------------  frontend http_front    bind *:80    stats uri /haproxy?stats    default_backend http_back   backend http_back    balance roundrobin    server kube 10.0.1.14:80    server kube 10.0.1.12:80   ---------------------   # systemctl status haproxy  # systemctl enable haproxy  # systemctl start haproxy     1. Create a Namespace, a SA, the Default Secret, the Customization Confi...




















Post a Comment









Read more




























Running K8s cluster service kubelet with Swap Memory Enabled




























 For enabling swap memory check the below link :   https://jinojoseph.blogspot.com/2019/10/enable-swap-memory-using-swapfile-in.html    # sudo vi /etc/systemd/system/kubelet.service.d/10-kubeadm.conf   Add the KUBELET_EXTRA_ARGS line as below:  ----------------------------------------   Environment="KUBELET_EXTRA_ARGS=--fail-swap-on=false"  ExecStart=  ExecStart=/usr/bin/kubelet $KUBELET_KUBECONFIG_ARGS $KUBELET_CONFIG_ARGS $KUBELET_KUBEADM_ARGS $KUBELET_EXTRA_ARGS    Now kubelet.service changed on disk. Run 'systemctl daemon-reload' to reload units   # sudo systemctl daemon-reload  # sudo systemctl restart kubelet  # sudo systemctl status kubelet   That is all cheers :p  




















Post a Comment









Read more