Deploying Duo on Linux
If you are the administrator of a Caltech-owned system and would like to implement Duo multi-factor authentication to protect Linux/Unix (local logins, SSH connections, and/or sudo requests), IMSS can help.
Getting started
- Local usernames on your system should match access.caltech usernames. This is necessary for a smooth setup and low maintenance deployment. Please discuss this with Information Security if you have any questions or concerns.
- When you are ready to begin, email security@caltech.edu with the following information:
- Duo integration type (e.g. Windows, Linux):
- Number of systems you plan on deploying Duo on:
- Descriptive name of the system or group of systems:
- List other contacts responsible for these systems:
- Confirm whether the usernames on these systems match each person's access.caltech username:
- Information Security will respond with a secure link using Caltech 1Password containing a set of Duo API keys. If you have not yet used Caltech 1Password, you will first receive an invitation to sign up for an account.
Installing Duo
At this point, you should have already received a set of Duo API keys from Information Security including: API Hostname, Integration Key, and Secret Key
- Download and extract the latest version of duo_unix (checksum for verification). Change to the extracted directory (note your actual extracted directory name reflects the version downloaded; the example syntax below references version 1.10.1).
$ wget https://dl.duosecurity.com/duo_unix-latest.tar.gz
$ tar zxf duo_unix-latest.tar.gz
$ cd duo_unix-1.10.1
- Build and install duo_unix with PAM support ( pam_duo). (For advanced build options, see the README file in the source tarball.)
$ ./configure --with-pam --prefix=/usr && make && sudo make install
- Once duo_unix is installed, edit /etc/duo/pam_duo.conf (in /etc/duo or /etc/security) to add the integration key, secret key, and API hostname from your Duo Unix application.
[duo] ;
Duo integration key ikey = INTEGRATION_KEY ;
Duo secret key skey = SECRET_KEY ;
Duo API hostname host = API_HOSTNAME;
Public Key Authentication
- If you would like to use pam_duo with SSH public key authentication, make the following changes to your sshd_config file (usually in /etc or /etc/ssh).
PubkeyAuthentication yes
PasswordAuthentication no
AuthenticationMethods publickey,keyboard-interactive
Note that you cannot support a choice of either password or key authentication on the same SSH service if you are also requiring Duo. Duo will work with password authentication and it will work with key authentication, but not both forms of authentication on the same service.
PAM Configuration
- You'll need to modify your system's PAM configuration to include a line like the following:
auth required pam_duo.so
The location of this line and the specified control flag (e.g. "required", "requisite", "sufficient") varies. For most common configurations, place pam_duo directly after pam_unix (frequently found in common-auth or system-auth on Linux), set pam_unix's control flag to "requisite", and set pam_duo's control flag to whatever pam_unix used to be.
If you want to use pam_duo with your installation of OpenSSH sshd, set both UsePAM and ChallengeResponseAuthentication to yes in your sshd_config file (usually in /etc or /etc/ssh). You should also set UseDNS to no so that PAM Duo is always passed the IP address of the connecting user, rather than the resolved hostname.
UsePAM yes
ChallengeResponseAuthentication yes
UseDNS no
PAM examples
Amazon Linux
/etc/pam.d/system-auth
Before:
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
After:
auth required pam_env.so
# auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_unix.so nullok try_first_pass
auth sufficient pam_duo.so
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
SSH Public Key Authentication
/etc/pam.d/sshd
Before:
auth required pam_sepermit.so
auth substack password-auth
After:
auth required pam_sepermit.so
# auth substack password-auth
auth required pam_duo.so
Now when you SSH to this server you should see a duo prompt.