1

In the current setup, I have a bastion/ jump server with a public IP with password authentication and MFA enabled with google authenticator. I have a private host with inbound rules allowing ssh only from the security group where my bastion host is existing. The ask is, I want to allow the users of my jumpbox host to directly login to the private hosts in the cluster with their password, instead of me creating their users and setting a password for them in the private host(with a user data or using an elastic IP).

Currently, I am creating a user in the private servers by using an elastic IP. I am expecting a solution where I could have a script in the user data which will allow all the users of the bastion host to log in directly with their password. That way I only will have to create users in the bastion host and not worry about the private hosts.

Steps to reproduce:

  1. Create an EC2 in the public subnet.
  2. log in as the root user.
  3. Edit the /etc/ssh/sshd_config file.
  4. Update the following lines.
  5. PasswordAuthentication yes
  6. PermitRootLogin yes
  7. Setup a password for the ec2-user with the following command passwd ec2-user enter the password
  8. Enable google authenticator for the bastion host.
  9. sudo yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
  10. sudo yum install google-authenticator.x86_64 -y
  11. sudo vi /etc/pam.d/sshd
  12. Add this line at the end. auth required pam_google_authenticator.so nullok
  13. sudo vi /etc/ssh/sshd_config
  14. Add this line ChallengeResponseAuthentication yes
  15. Open the google-authenticator and set up MFA.
  16. refer this page for more info: https://www.middlewareinventory.com/blog/aws-mfa-ssh-ec2-setup/
  17. finally, restart the sshd service service sshd restart
  18. Now, create an EC2 instance in the private subnet and allow inbound traffic from port 22(SSH) from the security group of your jumpserver.

By default, the private ec2 will ask for the private key. I could forward the private key from my local system from the bastion host to the private server. But instead, I want to use password authentication even for the private servers.

I hope the description was concise enough. Let me know in the comments if you need anything else.

Richard Wilson
  • 297
  • 4
  • 17
vgnshiyer
  • 37
  • 6
  • Please edit the question to limit it to a specific problem with enough detail to identify an adequate answer. – Community Oct 13 '21 at 12:33

0 Answers0