Using DUO on a Raspberry Pi

Duo can be easily added to any Unix system to protect remote (SSH) or local logins with the addition of a simple pam_duo PAM module. It has been tested on Linux (RedHat, Fedora, CentOS, Debian, Ubuntu, Amazon Linux), BSD (FreeBSD, NetBSD, OpenBSD), Solaris, HP-UX, and AIX. The code is open-source and available on GitHub.

We use DUO at work for a variety of reasons and for whatever reason I never really looked into it until I was looking for an authentication method for Shiny Server. Well I still haven’t proven it’ll work with Shiny Server, but I did produce a proof-of-concept on a Raspberry Pi that acts as the jump box for my home network.

Here’s how:

Sign up for a DUO security account

The web page says that there’s a free tier for up to 10 users, but the sign-up page only allows you to sign up for the Free Trial. So I signed up for the free-trial with every intention of using the free tier.

I pretty much followed the guide DUO has here.

You use your smartphone to create the admin account and gain access to the dashboard, where you…

Set up a new application

They have a LOT of pre-made configurations for a number of different services, but I needed to protect SSH on a Raspberry Pi, which isn’t on the list. So I chose a generic “UNIX Application”.

Once on the Application screen you are presented with an Integration key, Secret key, and API hostname. Make note of these – you’ll need them later.

Take this time to change the name of your application to something meaningful. I chose <hostname> SSH/sudo.

Dependencies and Install

Make sure you’ve got the dependencies installed (I used the guide for Debian 7)

sudo apt install libssl-dev libpam-dev

Then install the DUO app from source (no Raspberry Pi repository)

wget https://dl.duosecurity.com/duo_unix-latest.tar.gz
tar zxf duo_unix-latest.tar.gz
cd duo_unix-1.10.1

Build and install duo_unix with PAM support ( pam_duo).

sudo ./configure --with-pam --prefix=/usr
sudo make
sudo make install

Update DUO configs with your account info

Once duo_unix is installed, edit /etc/duo/pam_duo.conf to add the integration key, secret key, and API hostname from your Duo Unix application.

[duo]
; Duo integration key
ikey = INTEGRATION_KEY
; Duo secret key
skey = SECRET_KEY
; Duo API hostname
host = API_HOSTNAME

Update SSH configs

Add or ensure the following lines are present in /etc/ssh/sshd_config

PubkeyAuthentication yes
PasswordAuthentication no
AuthenticationMethods publickey,keyboard-interactive
UsePAM yes
ChallengeResponseAuthentication yes
UseDNS no

If you’re SSH’d into the box you are doing this on, then open another SSH session now as a safeguard in case something goes wrong and you lock yourself out.

Then restart ssh

service ssh restart

Update files in /etc/pam.d

SSH Public Key Authentication – /etc/pam.d/sshd

Before:

@include common-auth

After:

#@include common-auth
auth  [success=1 default=ignore] pam_duo.so
auth  requisite pam_deny.so
auth  required pam_permit.so

System-wide Authentication – /etc/pam.d/common-auth

Before:

auth  [success=1 default=ignore] pam_unix.so nullok_secure
auth  requisite pam_deny.so
auth  required pam_permit.so

After:

#auth  [success=1 default=ignore] pam_unix.so nullok_secure
auth  requisite pam_unix.so nullok_secure
auth  [success=1 default=ignore] pam_duo.so
auth  requisite pam_deny.so
auth  required pam_permit.so

Test

At this point you should be able to SSH into the box (try it from localhost first) and be prompted to enroll in DUO Security (you only have to do this once per account/device). Finish the instructions at the web link provided and you should be good to go!