How can I create a pem file + google-authenticator access to Amazon EC2?

Question

I'm trying to create an authentication process to a Amazon EC2 Ubuntu instance that will require the usage a key-pair generated by Amazon AND using Google-Authenticator. Ergo I want to login to the instance with my pem file and then be prompted with the verification code prompt.

Verification code:

I've managed to login to my server using my pem file. I have also managed to install Google-Authenticator successfully and use it to login with a separate user (not ubuntu) that I've created and given a specific password.

On my /etc/ssh/sshd_config I have:

ChallengeResponseAuthentication yes
PasswordAuthentication no
UsePAM yes
AuthenticationMethods keyboard-interactive

and on my /etc/pam.d/sshd:

@include common-auth
auth required pam_google_authenticator.so

If I add publickey to AuthenticationMethods then on login I'm prompted for a password instead of using the pem file I'm providing in:

ssh -i my-key.pem ubuntu@*.*.*.*

How can I get OpenSSH to authenticate via pem file --> google-authenticator?

Thanks!

score 1 · Accepted Answer · answered Jul 14 '15 at 08:09

My solution was to be checked by a pem file, a password and a verification OTP. For this I had:

In: /etc/pam.d/sshd/:

@include common-auth
auth required pam_sepermit.so
auth required pam_google_authenticator.so

In: /etc/ssh/sshd_config/:

AuthenticationMethods publickey,keyboard-interactive

The rest of the configs are as described above. Notice publickey comes before keyboard-interactive in AuthenticationMethods, otherwise the verification code comes first and then the pem file checking.

How can I create a pem file + google-authenticator access to Amazon EC2?

1 Answers1