Duo Unix SSH Installation Directions

This document details the installation instructions for Duo Unix SSH (Secure Shell). Follow these instructions to set up two-factor authentication with Duo for SSH on your Unix server.

Request Duo Application Keys for Your Server

Each server should have its own Integration Key (i-Key) and Secret Key (s-Key). To request a key set for your server, contact the ITS Service Center and ask that your request be directed to the ITS Identity and Access Management (IAM) Operations team. Submit your application creation request as soon as possible in advance. The application registration process will take one-three days from the time the service request is received by ITS IAM.

In the ticket, include your preferred application name. Most requests follow the format below. See Duo Naming Conventions for a more detailed explanation.

  • Application Name: (Unit's AD Prefix) (SSH/RDP) (server hostname)
  • Example: ITS SSH dodo.dsc.umich.edu

ITS IAM will communicate the i-Key, s-Key, and application host name back to the system administrator via U-M Dropbox. These should be protected like any other key information used on your server.

Install the Duo Package

Install the appropriate Duo package for your version of Unix.


  1. Import the Duo package RPM signing key. You can do it by issuing this command: rpm --import https://duo.com/DUO-GPG-PUBLIC-KEY.asc
  2. Configure an external Yum Repository from Duo or subscribe to the Red Hat Satellite Duo channel. If your particular Red Hat version does not have a Duo channel yet, please contact [email protected]
  • External Repository:
  1. Download package directly from Duo.
  2. Configure the external Yum Repository with these commands:
    name=Duo Security Repository

Note The Duo Package Repository currently does not include RHEL packages for workstations. However, you can install on RHEL Workstation by replacing $releasever with the server release for the corresponding version in your Yum configuration (e.g., 7Server).

  • Satellite Install:
  1. There should be a Duo channel under the base channel for your Red Hat release. Subscribe to that and install the duo_unix package.


  1. Get the package from Duo.
  2. Install with dpkg.

Local Duo Config Files

Update /etc/duo/pam_duo.conf & login_duo.conf with the keys and API hostname saved earlier. You can test by running the /usr/sbin/login_duo command.

Additional options are available and documented at Duo Unix - Two-Factor Authentication for SSH (login_duo).

Recommendations include:

  • http_proxy=http://duo-proxy.dsc.umich.edu/
    • This is a campus AuthProxy server. Any servers on private networks or that can’t reach outbound systems will have to use this.
  • groups = *,!not2fa
    • This flag can be used to determine which Unix groups should or should not be prompted for Duo authentication.
    • In this example, every user except those in the not2fa group will have to use Duo.
  • failmode = secure
    • If your server is not configured properly or can’t reach Duo, it will not allow access. Make sure to couple this with a backdoor however, such as VMware console access.
  • autopush = yes
    • Instead of showing the menu below, Duo will automatically send a push notification to the user.

Enter a passcode or select one of the following options:

  1. Duo Push to XXX-XXX-0142 2.
  2. Phone call to XXX-XXX-0142
  3. SMS passcodes to XXX-XXX-0142

Passcode or option (1-3):

Update PAM Configuration

This assumes Duo is used for SSH access only, not for console login.

  • If you are already using PAM, you should be able to just drop in the new module as shown here:
    • sed -i "s/pam_securid.so/\/lib64\/security\/pam_duo.so/g" /etc/pam.d/sshd
  • See Duo's SSHD & PAM configuration instructions.
  • ITS was able to get Duo working with a custom configuration that allows for local or Kerberos passwords.  In addition, we can permit SSH keys to bypass Duo, requiring it only for interactive logins.

auth       include      sshd-passwd
auth       required     /lib64/security/pam_duo.so
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
session    required     pam_selinux.so close
session    required     pam_loginuid.so
session    required     pam_selinux.so open env_params
session    optional     pam_keyinit.so force revoke
session    include      system-auth

auth        required      pam_env.so
auth        [success=3 default=ignore]    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        [success=1 default=ignore]    pam_krb5.so use_first_pass no_validate realm=UMICH.EDU
auth        requisite      pam_deny.so
account     required      pam_unix.so broken_shadow
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
account     required      pam_permit.so
password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_krb5.so use_authtok
password    required      pam_deny.so
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_krb5.so

/etc/ssh/sshd_config (Check these values)
ChallengeResponseAuthentication yes
UsePAM yes
PasswordAuthentication no

Last Updated: 
Wednesday, September 4, 2019