DEV Community

Discussion on: 2 factor authentication for SSH

Collapse
ferricoxide profile image
Thomas H Jones II • Edited on

One of the thing I like about deploying on AWS: Instance Connect. Install the Instance Connect binaries on your EC2 and disable password logins. Need to SSH in? Use the AWS CLI to push a copy of your public key to your EC2's user-account, then do a key-login. Best part? The pushed-key is automatically removed after fifteen minutes. Outside of AWS, you can brew up an ephemeral-key solution with SSHD's AuthorizedKeysCommand.

Also: Duo, Okta and a few other 2FA providers make nice, easy PAM drop-ins as well. Pair the 2FA with ephemeral keys and your exposure becomes limited to flaws in the daemon itself ...which can be heavily mitigated with fail2ban.

Collapse
jjasghar profile image
JJ Asghar Author

Awesome, yeah the one cloud I've never used is actually AWS.

Luckily this article is any cloud with SSH access :)