Duo Unix SSH Installation Directions

This document details the installation instructions for Duo Unix SSH (Secure Shell). Follow these instructions to set up two-factor authentication with Duo for SSH on your Unix server.

Install the Duo Package

Install the appropriate Duo package for your version of Unix.

RHEL

  1. Import the Duo package RPM signing key. You can do it by issuing this command: rpm --import https://duo.com/RPM-GPG-KEY-DUO
  2. Configure an external Yum Repository from Duo or subscribe to the Red Hat Satellite Duo channel. If your particular Red Hat version does not have a Duo channel yet, please contact satellite-admins@umich.edu
  • External Repository:
  1. Download package directly from Duo.
  2. Configure the external Yum Repository with these commands:
    /etc/yum.repos.d/duosecurity.repo:
    [duosecurity]
    name=Duo Security Repository
    baseurl=http://pkg.duosecurity.com/RedHat/$releasever/$basearch
    enabled=1
    gpgcheck=1
  • Satellite Install:
  1. There should be a Duo channel under the base channel for your Red Hat release. Subscribe to that and install the duo_unix package.

Ubuntu

  1. Get the package from Duo.
  2. Install with dpkg.

Create a Duo Application for Your Unix Server

Create a Duo application for your Unix server. We recommend that you create each server as a unique Duo application.

Recommended values:

  • UNITABBR=`Your 3 character AD prefix`
  • Name: $UNITABBR SSH $FQDN Example: ITS SSH dodo.dsc.umich.edu
  • User Normalization: Simple
  • New user policy: Deny Access
  • Trusted Networks:
    Note This only works if you disable DNS in sshd_config. We have submitted a request to allow FQDNs as well, since ITS is planning to leave DNS enabled.

Save the Integration Key and Secret Key. These are unique for every application.

The API hostname will be the same for all your applications and is based on the Duo environment.

For the U-M production environment, submit a service request to the ITS Service Center and ask that it be directed to the ITS Identity and Access Management Operations team (the IAM Operations and Data ServiceLink assignment group) to get this information by either asking them to migrate a test application or just create a new application in Prod.

Local Duo Config Files

Update /etc/duo/pam_duo.conf & login_duo.conf with the keys and API hostname saved earlier. You can test by running the /usr/sbin/login_duo command.

Additional options are available and documented at Duo Unix - Two-Factor Authentication for SSH (login_duo).

Recommendations include:

  • http_proxy=http://duo-proxy.dsc.umich.edu/
    • This is a campus AuthProxy server. Any servers on private networks or that can’t reach outbound systems will have to use this.
  • groups = *,!not2fa
    • This flag can be used to determine which Unix groups should or should not be prompted for Duo authentication.
    • In this example, every user except those in the not2fa group will have to use Duo.
  • failmode = secure
    • If your server is not configured properly or can’t reach Duo, it will not allow access. Make sure to couple this with a backdoor however, such as VMware console access.
  • autopush = yes
    • Instead of showing the menu below, Duo will automatically send a push notification to the user.

Enter a passcode or select one of the following options:

  1. Duo Push to XXX-XXX-0142 2.
  2. Phone call to XXX-XXX-0142
  3. SMS passcodes to XXX-XXX-0142

Passcode or option (1-3):

Update PAM Configuration

This assumes Duo is used for SSH access only, not for console login.

  • If you are already using PAM, you should be able to just drop in the new module as shown here:
    • sed -i "s/pam_securid.so/\/lib64\/security\/pam_duo.so/g" /etc/pam.d/sshd
  • See Duo's SSHD & PAM configuration instructions.
  • ITS was able to get Duo working with a custom configuration that allows for local or Kerberos passwords.  In addition, we can permit SSH keys to bypass Duo, requiring it only for interactive logins.

/etc/pam.d/sshd
#%PAM-1.0
auth       include      sshd-passwd
auth       required     /lib64/security/pam_duo.so
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
session    required     pam_selinux.so close
session    required     pam_loginuid.so
session    required     pam_selinux.so open env_params
session    optional     pam_keyinit.so force revoke
session    include      system-auth

/etc/pam.d/sshd-passwd
#%PAM-1.0
auth        required      pam_env.so
auth        [success=3 default=ignore]    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        [success=1 default=ignore]    pam_krb5.so use_first_pass no_validate realm=UMICH.EDU
auth        requisite      pam_deny.so
account     required      pam_unix.so broken_shadow
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
account     required      pam_permit.so
password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_krb5.so use_authtok
password    required      pam_deny.so
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_krb5.so

/etc/ssh/sshd_config (Check these values)
ChallengeResponseAuthentication yes
UsePAM yes
PasswordAuthentication no

Last Updated: 
Tuesday, May 31, 2016