This document details the installation instructions for Duo Unix SSH (Secure Shell). Follow these instructions to set up two-factor authentication with Duo for SSH on your Unix server.
Install the Duo Package
Install the appropriate Duo package for your version of Unix.
- Import the Duo package RPM signing key. You can do it by issuing this command: rpm --import https://duo.com/RPM-GPG-KEY-DUO
- Configure an external Yum Repository from Duo or subscribe to the Red Hat Satellite Duo channel. If your particular Red Hat version does not have a Duo channel yet, please contact firstname.lastname@example.org
- External Repository:
- Download package directly from Duo.
- Configure the external Yum Repository with these commands:
name=Duo Security Repository
Note The Duo Package Repository currently does not include RHEL packages for workstations. However, you can install on RHEL Workstation by replacing $releasever with the server release for the corresponding version in your Yum configuration (e.g., 7Server).
- Satellite Install:
- There should be a Duo channel under the base channel for your Red Hat release. Subscribe to that and install the duo_unix package.
Create a Duo Application for Your Unix Server
Create a Duo application for your Unix server. We recommend that you create each server as a unique Duo application.
- UNITABBR=`Your 3 character AD prefix`
- Name: $UNITABBR SSH $FQDN Example: ITS SSH dodo.dsc.umich.edu
- User Normalization: Simple
- New user policy: Deny Access
- Trusted Networks:
Note This only works if you disable DNS in sshd_config. We have submitted a request to allow FQDNs as well, since ITS is planning to leave DNS enabled.
Save the Integration Key and Secret Key. These are unique for every application.
The API hostname will be the same for all your applications and is based on the Duo environment.
For the U-M production environment, submit a service request to the ITS Service Center and ask that it be directed to the ITS Identity and Access Management Operations team (the IAM Operations and Data ServiceLink assignment group) to get this information by either asking them to migrate a test application or just create a new application in Prod.
Local Duo Config Files
Update /etc/duo/pam_duo.conf & login_duo.conf with the keys and API hostname saved earlier. You can test by running the /usr/sbin/login_duo command.
Additional options are available and documented at Duo Unix - Two-Factor Authentication for SSH (login_duo).
- This is a campus AuthProxy server. Any servers on private networks or that can’t reach outbound systems will have to use this.
- groups = *,!not2fa
- This flag can be used to determine which Unix groups should or should not be prompted for Duo authentication.
- In this example, every user except those in the not2fa group will have to use Duo.
- failmode = secure
- If your server is not configured properly or can’t reach Duo, it will not allow access. Make sure to couple this with a backdoor however, such as VMware console access.
- autopush = yes
- Instead of showing the menu below, Duo will automatically send a push notification to the user.
Enter a passcode or select one of the following options:
- Duo Push to XXX-XXX-0142 2.
- Phone call to XXX-XXX-0142
- SMS passcodes to XXX-XXX-0142
Passcode or option (1-3):
Update PAM Configuration
This assumes Duo is used for SSH access only, not for console login.
- If you are already using PAM, you should be able to just drop in the new module as shown here:
- sed -i "s/pam_securid.so/\/lib64\/security\/pam_duo.so/g" /etc/pam.d/sshd
- See Duo's SSHD & PAM configuration instructions.
- ITS was able to get Duo working with a custom configuration that allows for local or Kerberos passwords. In addition, we can permit SSH keys to bypass Duo, requiring it only for interactive logins.
auth include sshd-passwd
auth required /lib64/security/pam_duo.so
account required pam_nologin.so
account include system-auth
password include system-auth
session required pam_selinux.so close
session required pam_loginuid.so
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session include system-auth
auth required pam_env.so
auth [success=3 default=ignore] pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth [success=1 default=ignore] pam_krb5.so use_first_pass no_validate realm=UMICH.EDU
auth requisite pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_krb5.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_krb5.so
/etc/ssh/sshd_config (Check these values)