Created
November 23, 2019 20:24
-
-
Save seanieb/891fc0dd3ad4fa819e9187dc63ef18fa to your computer and use it in GitHub Desktop.
Install ssh only google-authenticator for users using EC2 User Data on first boot.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Ubuntu 18.04 account creation and Google 2FA/MFA for use on EC2 User data at instance launch | |
| # Create users when launching an Ubuntu server EC2 instance | |
| declare -A USERKEY | |
| # Create users when launching an Ubuntu server EC2 instance | |
| USERKEY[user_a]= "[public key here]" | |
| USERKEY[user_b]= "[public key here]" | |
| declare -A SUDOUSER | |
| # Who has sudo access. | |
| SUDOUSER[user_a]=y | |
| for user in "${!USERKEY[@]}" ; do | |
| # Add the user (--gecos "" ensures that this runs non-interactively) | |
| adduser --disabled-password --gecos "" $user | |
| # Give read-only access to log files by adding the user to adm group | |
| # Other groups that you may want to add are apache, nginx, mysql etc. for their log files | |
| usermod -a -G adm $user | |
| # If the user needs sudo access, give that. | |
| if [ "${SUDOUSER[$user]}" == 'y' ] ; then | |
| # Give sudo access by adding the user to sudo group | |
| usermod -a -G sudo $user | |
| # Allow passwordless sudo | |
| echo "$user ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers.d/90-cloud-init-users | |
| fi | |
| # Add the user's auth key to allow ssh access | |
| mkdir /home/$user/.ssh | |
| echo "${USERKEY[$user]}" >> /home/$user/.ssh/authorized_keys | |
| # Change ownership and access modes for the new directory/file | |
| chown -R $user:$user /home/$user/.ssh | |
| chmod -R go-rx /home/$user/.ssh | |
| done | |
| # fecth updates and update the server | |
| apt-get update | |
| apt-get upgrade -y | |
| # Add Google Auth on first login for each user. | |
| apt-get install libpam-google-authenticator -y | |
| # make it optional for the user to have 2FA when they login first | |
| echo "auth required pam_google_authenticator.so nullok" >> /etc/pam.d/sshd | |
| # Needed since Ubuntu 18.04 | |
| # This module succeeds everytime. It is used to set the state of the chain to success if no module has acted upon it earlier. It is never your case though. | |
| echo "auth required pam_permit.so" >> /etc/pam.d/sshd | |
| # Ebaled the MFA challenge | |
| sed -i 's/ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/g' /etc/ssh/sshd_config | |
| # Enables SSH and MFA Only | |
| # echo "AuthenticationMethods publickey,password publickey,keyboard-interactive" >> /etc/ssh/sshd_config | |
| echo "AuthenticationMethods publickey,keyboard-interactive" >> /etc/ssh/sshd_config | |
| # prevents password auth | |
| sed -i 's/@include common-auth/#@include common-auth/g' /etc/pam.d/sshd | |
| # restarts the ssh service | |
| systemctl restart sshd.service | |
| # When a user logs in without google authenticator setup they will get given their barcode, keys and then their ssh connection exited. | |
| # Each time after this is setup teh user will have to provide an 2FA token to login via keyboard-interactive | |
| printf 'if [ ! -e ~/.google_authenticator ]; then \n google-authenticator --time-based --disallow-reuse --force --rate-limit=3 --rate-time=30 --window-size=3 \n echo \n echo "Save the generated emergency scratch codes and use secret key or scan the QR code to \n register your device for multifactor authentication." \n echo \n echo "Login again using your ssh key pair and the generated One-Time Password on your registered \n device." \n echo \n logout \n fi' > /etc/profile.d/mfa.sh | |
| # reboot so the apt packeges installed that require a reboot are applied (optional) | |
| reboot |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment