Add New User to EC2 Linux Instance with Google MFA: Ubuntu

tboyak

Tobi Akanji

Posted on January 19, 2022

Add New User to EC2 Linux Instance with Google MFA: Ubuntu

User administration

Note

  • This tutorial is not for absolute beginners, but persons with some experience in Linux, CLI and a bit of cloud technology.

  • The actions listed here are to be carried out by a superuser (preferrably the root user), unless otherwise stated within context.

  • Where your machine or instance does not have the nano text editor, use vi (for the vim text editor).

  • <...> represents placeholders in code snippets and configurations.

  • [...] represents optional parameters in code snippets and configurations.

  • Ensure you are logged in to the EC2 instance as a superuser.

Get Key Pair for The New User Account

You can generate a new key pair, or use an existing one.

To generate a new key pair

aws ec2 create-key-pair \
    --key-name <key-pair-name> \
    --key-type rsa \
    --query "KeyMaterial" \
    --output text > <key-pair-name>.pem
Enter fullscreen mode Exit fullscreen mode

Ensure to get this file and keep it in a safe place where you will not lose it, e.g.:

  • in a secure and accessible cloud storage.

  • in an accessible key vault.

If your local machine is a Linux or Mac, ensure only the current user has access to this file

chmod 400 <key-pair-name>.pem
Enter fullscreen mode Exit fullscreen mode

Retrieve the public key from the key pair

ssh-keygen -y -f /<path_to_key_pair>/<key-pair-name>.pem
Enter fullscreen mode Exit fullscreen mode

If you would be using the same private key as that which was used to launch the instance, you can get the public key by running the follow command

TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"` \
&& curl -H "X-aws-ec2-metadata-token: $TOKEN" –v http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key
Enter fullscreen mode Exit fullscreen mode

Copy the public key and keep it for later use.

Create New User

Switch to root

su -
Enter fullscreen mode Exit fullscreen mode

The above might request for password that you did not set, nor do you want to keep inputting passwords. In such situations, go with the below snippet

sudo -i
Enter fullscreen mode Exit fullscreen mode

Add new user

sudo adduser <username>
Enter fullscreen mode Exit fullscreen mode

If user is to be a superuser

sudo adduser <username> --disabled-password
Enter fullscreen mode Exit fullscreen mode

Make User A Superuser

Add User to Sudo Group

usermod -aG sudo <username>
Enter fullscreen mode Exit fullscreen mode

-aG: Append to group.

Verify user belongs to the superusers group

groups <username>
Enter fullscreen mode Exit fullscreen mode

Update The Superuser to Not Use Password

Superusers are usually not expected to need password for access once authenticated. Hence, the convention overlooking password authorization for superusers.

Open the sudo permissions file

sudo visudo
Enter fullscreen mode Exit fullscreen mode

Add this to the opened file in the editor, save the file and exit the editor.

<username> ALL=(ALL) NOPASSWD:ALL
Enter fullscreen mode Exit fullscreen mode

To prevent the need for using a password for the user at any password prompt, delete the user password

sudo passwd -d <username>
Enter fullscreen mode Exit fullscreen mode

Henceforth, just press Enter whenever there is a password prompt, and you get authenticated.

In the case where the user is not a superuser, and you used the --disabled-password flag you can set a new password for the user by the root user

passwd <username>
Enter fullscreen mode Exit fullscreen mode

Follow the prompts and press Enter when done.

Implement SSH Authentication

Switch to the new user

su - <username>
Enter fullscreen mode Exit fullscreen mode

Add .ssh directory to the new user’s home directory:

mkdir .ssh
Enter fullscreen mode Exit fullscreen mode

Create the authorized_keys file

touch .ssh/authorized_keys
Enter fullscreen mode Exit fullscreen mode

Restrict read-write access to the new user

chmod 600 .ssh/authorized_keys
Enter fullscreen mode Exit fullscreen mode

Update the new user account credentials by pasting the public key into the file

nano .ssh/authorized_keys
Enter fullscreen mode Exit fullscreen mode

Save the file and close the editor.

You can also verify the user belongs to the superusers group

id
Enter fullscreen mode Exit fullscreen mode

You should get a similar output as follows

uid=1004(<username>) gid=1004(<username>) groups=1004(<username>,sudo)
Enter fullscreen mode Exit fullscreen mode

Implement Google Auth MFA

Download the Google Auth mobile app on your mobile device if you do not have it. For Android, it is available on Play Store.

Login with your Google account to the mobile app.

Ensure you are on the new user, else switch to the new user

su - <username>
Enter fullscreen mode Exit fullscreen mode

Install the Google Auth app

sudo yum install google-authenticator -y
Enter fullscreen mode Exit fullscreen mode

Initialize the app

google-authenticator
Enter fullscreen mode Exit fullscreen mode

Open the Google Auth mobile app, press the plus button ➕ and scan the QR code in the CLI.

You can rename the new authentication on your mobile app to something more intuitive.

Answer the prompted questions in this manner

Do you want authentication tokens to be time-based (y/n) y

Do you want me to update your "/home/ec2-user/.google_authenticator" file (y/n) y

Do you want to disallow multiple uses of the same authentication token?
This restricts you to one login about every 30s,
but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y

# Select ‘n’ for the next question for 3 valid codes in a 1:30-minute window
By default,
tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server,
we allow an extra token before and after the current time.
If you experience problems with poor time synchronization,
you can increase the window from its default size of 1:30min to about 4min.
Do you want to do so (y/n) n

If the computer that you are logging into isn't hardened against brute-force login attempts,
you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y
Enter fullscreen mode Exit fullscreen mode

Configure SSH to use the Google Pluggable Authentication Module

sudo nano /etc/pam.d/sshd
Enter fullscreen mode Exit fullscreen mode

Append the following to the opened file in the editor

auth required pam_google_authenticator.so [nullok]
auth required pam_permit.so
Enter fullscreen mode Exit fullscreen mode

Disable the password requirement by ensuring this line commented out

#auth       substack     password-auth
Enter fullscreen mode Exit fullscreen mode

Change the SSH configuration to prompt for a second authentication

sudo nano /etc/ssh/sshd_config
Enter fullscreen mode Exit fullscreen mode

In the opened file, modify as follows

#ChallengeResponseAuthentication no
ChallengeResponseAuthentication yes
Enter fullscreen mode Exit fullscreen mode

In the same file, let SSH know that it should ask for SSH key and verification code.

AuthenticationMethods publickey,keyboard-interactive
Enter fullscreen mode Exit fullscreen mode

Save the file and close the editor.

Restart the SSH to for the changes to take effect using either

sudo /etc/init.d/sshd restart
Enter fullscreen mode Exit fullscreen mode

OR

sudo service sshd restart
Enter fullscreen mode Exit fullscreen mode

Test Connection and Privileges

Open a new terminal on your local machine.

SSH into the instance with the new username and the associated private key

ssh -i /<path_to_key_pair>/<key-pair-name>.pem <username>@<instance-public-dns-name>
Enter fullscreen mode Exit fullscreen mode

It should prompt you for a verification code. Open your Google Auth app to get the latest verification code for this instance, input it into the text box, and press the Enter key.

You should now be logged in to the instance as the new user who can perform sudo activities.

Conclusion

It sure was a journey coming this far, and I can but say, well done and congratulations!!! You have found something that works: for Ubuntu and most other Linux instances (some needing little tweaks).

Thanks for reading through. But do not forget the references below: they could open you up to more possibilities beyond the scope of this tutorial.

As much as I have practiced this over time, and tried out different things with different documentations, your contributions are very welcome in the comments.

Enjoy exploring, learning, and growing!!!

References

💖 💪 🙅 🚩
tboyak
Tobi Akanji

Posted on January 19, 2022

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related