0

I have set up google two factor authentication on my local machine. So when I do : 

ssh localhost

I need to verify the code along with password. But when I try to connect to my Ec2 instance like so :

ssh -i mykey.pem ubuntu@x.x.x.x.x

It just asks for the password (here is no second factor). How could I provide the password along with the verify code that I see in my google app.

Thanks in advance.

batman
  • 321
  • 1
  • 5
  • 10

2 Answers2

0

In general, if you are using key-based authentication (the -i mykey.pem in your above example), ssh will bypass the PAM stack and authenticate you using only your key. If you're being prompted for a password it is probably for the key passphrase.

If you were to connect without using a key:

ssh ubuntu@x.x.x.x

The behavior should be the same as with your initial ssh localhost example.

Based on your questions, you may want to spend a little time reading some documentation. That link is explicitly about Amazon EC2 instances, but there are lots of other guides out there to setting up authentication with google-authenticator.

larsks
  • 43,623
  • 14
  • 121
  • 180
  • I have tried that, but it doesn't seem to be working either. when I do `ssh ubuntu@x.x.x.x` I get `Permission denied (publickey).`! – batman Aug 16 '12 at 12:38
  • Is your local `ssh` configured to not use password authentication? What if you run `ssh -o PasswordAuthentication=yes ubuntu@x.x.x.x`? – larsks Aug 16 '12 at 12:43
  • That is because you need to use the keyfile. And you do already have some kind of two factor auth, as the keyfile is one - password is two. – Frederik Aug 16 '12 at 12:44
  • If I run `ssh -o PasswordAuthentication=yes ubuntu@x.x.x.x` I get the same : `Permission denied (publickey).` – batman Aug 16 '12 at 12:46
  • AFAIK by default the EC2 Ubuntu AMIs are configured for key based authentication only. – James Yale Aug 16 '12 at 12:48
  • Take a look at your `/etc/ssh/sshd_config` and make sure that both `PasswordAuthentication` and `ChallengeResponseAuthentication` are set to `yes` (although the fact that it works from `localhost` is weird). – larsks Aug 16 '12 at 12:49
  • So I also need to install google-authenticator on Ec2? Is that so? – batman Aug 16 '12 at 12:54
  • You need the `google-authenticator` PAM module installed wherever you expect to be authenticating with it...and you need the command line tool for generating credentials. – larsks Aug 16 '12 at 13:13
0

When you setup 2 factor auth in this way it is a server side process, not client side. You've setup the SSH server component on your local machine to do 2 factor, which is why you're prompted for the additional credentials.

As the 2 factor auth doesn't depend on the client (that would add no security) you need to setup the SSH server on your EC2 instance to do 2 factor as well.

James Yale
  • 5,182
  • 1
  • 17
  • 20
  • Alright, if I do this way(having installed the google authenticator in ec2 instance too): `ssh ubuntu@x.x.x.x`, its asking for the password(after verification code). What password I need to give over here? I just downloaded my key without any passwords. – batman Aug 16 '12 at 12:48
  • Are you sure you didn't specify a password when you *created* the key pair that you're using? – James Yale Aug 16 '12 at 12:50
  • Yes I'm sure. I just gave a name and downloaded it! – batman Aug 16 '12 at 12:54