AWS EC2 Linuxインスタンス 2要素認証の設定方法

root ユーザーに切り替える。

$ sudo -i

ec2-user のパスワードを設定する。

# passwd ec2-user
New password:
BAD PASSWORD: The password fails the dictionary check - it is too simplistic/systematic
Retype new password:
passwd: all authentication tokens updated successfully.

/etc/ssh/sshd_config を編集する

編集前

    61  #PasswordAuthentication yes
    62  #PermitEmptyPasswords no
    63  PasswordAuthentication no

編集後（142行目は新規追加行）

    61  PasswordAuthentication yes
    62  PermitEmptyPasswords no
    63  #PasswordAuthentication no

   142  AuthenticationMethods publickey,password publickey,keyboard-interactive

ssh デーモン再起動

systemctl restart sshd

2 要素認証でログインに成功したところ

PS C:\WINDOWS\system32> ssh -i C:\Users\user\Downloads\private.pem ec2-user@52.123.123.123
The authenticity of host '52.123.123.123 (52.123.123.123)' can't be established.
ECDSA key fingerprint is SHA256:xxxxxxxxxxxxxxx
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '52.123.123.123' (ECDSA) to the list of known hosts.
ec2-user@52.123.123.123's password:
Last login: Fri Jun 18 13:17:46 2021 from example.net

       __|  __|_  )
       _|  (     /   Amazon Linux 2 AMI
      ___|\___|___|

https://aws.amazon.com/amazon-linux-2/
[ec2-user@ip-172-123-123-123 ~]$

秘密鍵のみでログインしようとして失敗したところ

PS C:\WINDOWS\system32> ssh -i C:\Users\user\Downloads\private.pem ec2-user@52.123.123.123
ec2-user@52.123.123.123's password:
Permission denied, please try again.
ec2-user@52.123.123.123's password:
Permission denied, please try again.
ec2-user@52.123.123.123's password:
ec2-user@52.123.123.123: Permission denied (password).

普段使っている TeraTerm は2要素認証に対応していない様子。

参考記事