Securing SSH to Amazon EC2 Linux Hosts
Anyone who has worked at a startup knows that establishing customer trust is a critical step for developing the business. Users are increasingly savvy about technology and security, and they expect that you will protect their data and provide a robust service. They also can be fickle and often won’t hesitate to switch to a competing product if there is a blip in your security. To avoid this, one of the first steps that you should take on behalf of your AWS-based startup is to lock down access to the Amazon EC2 instances running their applications.
The AWS Shared Security Model and Amazon EC2
A key component of the AWS shared security model is the capability to secure remote access to your Amazon EC2 instances. In the case of Linux servers, remote access usually means establishing a connection to the server by using the SSH protocol. Authentication typically happens either by providing a user name and password or by providing a private key that is checked against a public key on the server. By default, most Amazon EC2 instances use the latter approach for user authentication: when you first launch an EC2 instance, you are asked to optionally assign it a key pair. AWS uses the user name along with the PEM file that is associated with the key pair to authenticate with the server and open an SSH session.
In this post, we explore security topics related to securing access over SSH to Linux servers running on Amazon EC2. We also dig into examples that show how to implement the following two solutions for two-factor authentication for SSH sessions: TOTP with Google Authenticator and AWS Virtual MFA, and Duo UNIX from Duo Security.
Reducing risk with two-factor authentication
You always expose yourself to a degree of risk when you operate a server with interactive logins enabled. Provided that you adequately secure your PEM file and that SSH is correctly set up on your EC2 instances, key-based authentication is usually an improvement over simple user name/password authentication because it is less susceptible to brute-force attacks. Unfortunately, PEM files, like passwords, can be shared and accidentally left unsecured. Adding an extra layer of security, such as two-factor authentication, is a good way to mitigate this whether you are using password or key-based authentication as your primary factor of authentication.
Two-factor authentication, or multi-factor authentication (MFA), requires a user to provide multiple proofs of identity to get access to a resource. For example, you can configure access to the AWS Management Console to require users to enter a user name and password in addition to a rotating code from a hardware or software MFA device. This approach is also increasingly used to add an extra layer of security for access to servers and workstations, where a private key or a user name/password must be provided in addition to an authentication code from an MFA device before a session is opened on the operating system.
One use case that we see in the field is two-factor authentication used on “jump” or “bastion” hosts to provide increased security on EC2 instances that are used for SSH port forwarding or indirect access to internal-facing services. Another common use case is to provision EC2 instances with two-factor authentication and assign them AWS Identity and Access Management (AWS IAM) roles with locked-down policies. Support and operations teams can then securely connect to these EC2 instances and use the AWS CLI and SDKs without having to supply credentials.
Time-based One-time Passwords (TOTP)
Google Authenticator implements the TOTP algorithm from RFC 6238. When you install the Google Authenticator application on your Amazon EC2 instance, AWS generates a secret key. This secret key is then shared with a second device of your choice, such as an application running on your mobile phone. The exchange of the secret key usually happens when you use the mobile application to scan a QR code generated by Google Authenticator.
Once the secret key is stored in the mobile application, it combines it with the current timestamp by using a cryptographic hash function to generate one-time passwords (OTPs). An OTP is the second authentication factor that you will be prompted to input after successfully authenticating by using a user name and password or PEM file. The OTP is difficult to compromise because it auto-rotates as time passes, usually every 30 seconds, and is generated by using a device that you usually keep with you at all times (such as your phone).
You can choose from a variety of TOTP-compatible mobile applications to store the TOTP secret key and generate the OTP. In this post, we show how to use Google Authenticator on the server-side and AWS Virtual MFA as the TOTP-compatible mobile application to generate the OTPs for authentication. Other examples of popular TOTP-compatible mobile applications include the official mobile app of Google Authenticator, the mobile app of Duo Security, Duo Mobile, and Authy.
Two-factor authentication for Amazon Linux with Google Authenticator and AWS Virtual MFA
- Install AWS Virtual MFA or any other TOTP-compatible application on your phone
- Launch an Amazon Linux EC2 instance
- Install Google Authenticator:
sudo yum install google-authenticator –y
4. Launch Google Authenticator
[ec2-user@ip-10–0–1–205 ~]$ google-authenticator
Do you want authentication tokens to be time-based (y/n) y
5. At the prompt Do you want authentication tokens to be time-based (y/n), type y to configure your system to use time-based tokens.
6. Open the URL that is generated by Google Authenticator to display the QR code that you can use with your mobile application to download the secret key. For example:
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/ec2-user@ip-10-0-1-205%3Fsecret%12345ABCDEYour new secret key is: 12345ABCDE
7. For the remaining options, because Amazon EC2 instances use a reliable NTP server by default for time synchronization, there is no need to compensate for time-skew. Multiple uses and rate-limiting are optional; however, we recommend that you keep them enabled because they further improve security.
8. By default on Amazon Linux instances, SSH uses pluggable authentication modules (PAMs) for authentication, so we need to configure the sshd PAM module to use Google Authenticator. Edit /etc/pam.d/sshd on the instance where you installed Google Authenticator, commenting out the “auth substack password-auth” line and adding a new one that specifies the Google Authenticator PAM module:
auth required pam_sepermit.so
auth required pam_google_authenticator.so
# auth substack password-auth
9. We also want to make sure that Google Authenticator is called for other types of authentications, such as “su” and “login.” Edit /etc/pam.d/system-auth as follows:
auth required pam_env.so
# auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_unix.so nullok try_first_pass
auth sufficient pam_google_authenticator.so
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
10. Now edit the SSH configuration file so that Google Authenticator is called as a second factor of authentication. First, change the following option to “yes”:
ChallengeResponseAuthentication yes
11. Next, add a new line to the bottom of the file as follows:
AuthenticationMethods publickey,keyboard-interactive
12. Lastly, restart the SSH daemon on the server. To be safe, open a new terminal window without closing the current connection to test that everything is working:
sudo /etc/init.d/sshd restart
Your Amazon Linux EC2 instance is now configured for two-factor authentication for SSH logins with Google Authenticator.
Duo Security
As your startup grows, managing individually configured TOTP on many Amazon EC2 instances can become a burden. Microsoft Active Directory and Windows Server users might already be familiar with RADIUS servers and how they can be used to implement and manage two-factor authentication. While this method can also be extended to Linux servers, implementation is often difficult and cannot be universally extended to other systems that require two-factor authentication.
This is where a solution like Duo Mobile, the authentication mobile app from Duo Security, comes in. Duo is an AWS-powered startup that provides two-factor authentication for a variety of systems, including VPNs, UNIX devices, custom software applications, and more. It allows companies to unify their MFA management and reporting for multiple systems such as VPNs, OWA, SSH, RDP, SSO, AWS APIs, the AWS Management Console, and more. Duo also supports different authentication methods including SMS, push notifications through the Duo mobile app, phone callbacks, or tokens, which are helpful in situations where cell networks might not be available or there’s no Internet connectivity.
Duo UNIX, the application used for two-factor authentication on Linux instances, has two deployment options: “login_duo” and “pam_duo.” While login_duo is easier to set up, it does not give you as much flexibility as a PAM-based deployment, for example:
- If you want to use SSH for port forwarding or tunneling, then you can’t use “login_duo” because OpenSSH sets them up before Duo’s two-factor challenge. In other words, an attacker could circumvent two-factor authentication if you are using “login_duo” and do not disable the tunneling and port forwarding functionality in your SSH configuration.
- PAM allows you to implement two-factor authentication for more than just the initial logins, notably for “sudo” and “su.”
- This is useful for situations where you do not want to require MFA non-privileged access to internal-facing hosts, but do want to enforce it for any command that runs with elevated privilege.
- Similarly, you can use the PAM integration of Duo to provide MFA for servers using other common protocols such as FTP.
Two-factor authentication for Amazon Linux with Duo UNIX
- Sign up for a Duo account at https://signup.duosecurity.com.
2. Create a new UNIX integration to get an integration key, secret key, and API hostname.
3. On your Amazon EC2 instance, download the latest version of Duo at https://dl.duosecurity.com/duo_unix-latest.tar.gz.
4. Configure and install it by using the “ — with-pam” option:
./configure --with-pam --prefix=/usr && make && sudo make install
5. If your EC2 instance uses key-based authentication, modify the /etc/ssh/sshd_config file as follows:
PubkeyAuthentication yes
PasswordAuthentication no
AuthenticationMethods publickey,keyboard-interactive
6. Edit /etc/duo/pam_duo.conf and add your ikey (integration key), skey (secret key), and host (API hostname). You might also want to add the options “autopush=yes” to send the two-factor authentication request automatically on login, and “prompts=1” to insist on successful authentication on the first prompt. It will look something like this:
[duo]
ikey = ABCDEFGHIJKLMNO1P234
skey = mYSeCreTkEy
host = api-ab12c3d4.duosecurity.com
autopush = yes
prompts = 1
7. Replace the lines beginning with “auth” at the top of your PAM system configuration file, /etc/pam.d/system-auth, to the following:
auth required pam_env.so
auth requisite pam_unix.so nullok try_first_pass
auth sufficient pam_duo.so
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
8. If your EC2 instances uses key-based authentication for SSH access, replace the lines beginning with “auth” at the top of your PAM sshd configuration files, /etc/pam.d/sshd, to the following:
auth required pam_sepermit.so
auth required pam_duo.so
9. You can similarly adjust PAM configuration files in /etc/pam.d/ corresponding to other commands like “su” or “sudo” as required.
Your Amazon Linux EC2 instance is now configured for two-factor authentication for SSH logins with Duo. For step-by-step instructions and the latest updates, see the Duo UNIX documentation.
Conclusion
By correctly implementing two-factor authentication for your Amazon EC2 Linux hosts, you can reduce risk and significantly increase security. There are many ways to implement two-factor authentication, but Google Authenticator and Duo UNIX plus PAM are two easy and highly secure solutions that will suit the needs of many startups that want to lock down access to their Amazon EC2 instances.