This document details the installation instructions for Duo Unix SSH (Secure Shell). Follow these instructions to set up two-factor authentication with Duo for SSH on your Unix server.
Request Duo Application Keys for Your Server
Each server should have its own Integration Key (i-Key) and Secret Key (s-Key). To request a key set for your server, contact the ITS Service Center and ask that your request be directed to the ITS Identity and Access Management (IAM) Operations team. Submit your application creation request as soon as possible in advance. The application registration process will take one-three days from the time the service request is received by ITS IAM.
In the ticket, include your preferred application name. Most requests follow the format below. See Duo Naming Conventions for a more detailed explanation.
- Application Name: (Unit's AD Prefix) (SSH/RDP) (server hostname)
- Example: ITS SSH dodo.dsc.umich.edu
ITS IAM will communicate the i-Key, s-Key, and application host name back to the system administrator via U-M Dropbox. These should be protected like any other key information used on your server.
Install the Duo Package
Install the appropriate Duo package for your version of Unix.
- Import the Duo package RPM signing key. You can do it by issuing this command: rpm --import https://duo.com/DUO-GPG-PUBLIC-KEY.asc
- Configure an external Yum Repository from Duo or subscribe to the Red Hat Satellite Duo channel. If your particular Red Hat version does not have a Duo channel yet, please contact [email protected]
- External Repository:
- Download package directly from Duo.
- Configure the external Yum Repository with these commands:
name=Duo Security Repository
Note The Duo Package Repository currently does not include RHEL packages for workstations. However, you can install on RHEL Workstation by replacing $releasever with the server release for the corresponding version in your Yum configuration (e.g., 7Server).
- Satellite Install:
- There should be a Duo channel under the base channel for your Red Hat release. Subscribe to that and install the duo_unix package.
Local Duo Config Files
Update /etc/duo/pam_duo.conf & login_duo.conf with the keys and API hostname saved earlier. You can test by running the /usr/sbin/login_duo command.
Additional options are available and documented at Duo Unix - Two-Factor Authentication for SSH (login_duo).
- This is a campus AuthProxy server. Any servers on private networks or that can’t reach outbound systems will have to use this.
- groups = *,!not2fa
- This flag can be used to determine which Unix groups should or should not be prompted for Duo authentication.
- In this example, every user except those in the not2fa group will have to use Duo.
- failmode = secure
- If your server is not configured properly or can’t reach Duo, it will not allow access. Make sure to couple this with a backdoor however, such as VMware console access.
- autopush = yes
- Instead of showing the menu below, Duo will automatically send a push notification to the user.
Enter a passcode or select one of the following options:
- Duo Push to XXX-XXX-0142 2.
- Phone call to XXX-XXX-0142
- SMS passcodes to XXX-XXX-0142
Passcode or option (1-3):
Update PAM Configuration
This assumes Duo is used for SSH access only, not for console login.
- If you are already using PAM, you should be able to just drop in the new module as shown here:
- sed -i "s/pam_securid.so/\/lib64\/security\/pam_duo.so/g" /etc/pam.d/sshd
- See Duo's SSHD & PAM configuration instructions.
- ITS was able to get Duo working with a custom configuration that allows for local or Kerberos passwords. In addition, we can permit SSH keys to bypass Duo, requiring it only for interactive logins.
auth include sshd-passwd
auth required /lib64/security/pam_duo.so
account required pam_nologin.so
account include system-auth
password include system-auth
session required pam_selinux.so close
session required pam_loginuid.so
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session include system-auth
auth required pam_env.so
auth [success=3 default=ignore] pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth [success=1 default=ignore] pam_krb5.so use_first_pass no_validate realm=UMICH.EDU
auth requisite pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_krb5.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_krb5.so
/etc/ssh/sshd_config (Check these values)