Duo can be easily added to any Unix system to protect remote (SSH) or local logins with the addition of a simple pam_duo PAM module. It has been tested on Linux (RedHat, Fedora, CentOS, Debian, Ubuntu, Amazon Linux), BSD (FreeBSD, NetBSD, OpenBSD), Solaris, HP-UX, and AIX. The code is open-source and available on GitHub.
We use DUO at work for a variety of reasons and for whatever reason I never really looked into it until I was looking for an authentication method for Shiny Server. Well I still haven’t proven it’ll work with Shiny Server, but I did produce a proof-of-concept on a Raspberry Pi that acts as the jump box for my home network.
Sign up for a DUO security account
The web page says that there’s a free tier for up to 10 users, but the sign-up page only allows you to sign up for the Free Trial. So I signed up for the free-trial with every intention of using the free tier.
I pretty much followed the guide DUO has here.
You use your smartphone to create the admin account and gain access to the dashboard, where you…
Set up a new application
They have a LOT of pre-made configurations for a number of different services, but I needed to protect SSH on a Raspberry Pi, which isn’t on the list. So I chose a generic “UNIX Application”.
Once on the Application screen you are presented with an Integration key, Secret key, and API hostname. Make note of these – you’ll need them later.
Take this time to change the name of your application to something meaningful. I chose
Dependencies and Install
Make sure you’ve got the dependencies installed (I used the guide for Debian 7)
sudo apt install libssl-dev libpam-dev
Then install the DUO app from source (no Raspberry Pi repository)
wget https://dl.duosecurity.com/duo_unix-latest.tar.gz tar zxf duo_unix-latest.tar.gz cd duo_unix-1.10.1
Build and install duo_unix with PAM support ( pam_duo).
sudo ./configure --with-pam --prefix=/usr sudo make
sudo make install
Update DUO configs with your account info
Once duo_unix is installed, edit
/etc/duo/pam_duo.conf to add the integration key, secret key, and API hostname from your Duo Unix application.
[duo] ; Duo integration key ikey = INTEGRATION_KEY ; Duo secret key skey = SECRET_KEY ; Duo API hostname host = API_HOSTNAME
Update SSH configs
Add or ensure the following lines are present in
PubkeyAuthentication yes PasswordAuthentication no AuthenticationMethods publickey,keyboard-interactive UsePAM yes ChallengeResponseAuthentication yes UseDNS no
If you’re SSH’d into the box you are doing this on, then open another SSH session now as a safeguard in case something goes wrong and you lock yourself out.
Then restart ssh
service ssh restart
Update files in
SSH Public Key Authentication –
#@include common-auth auth [success=1 default=ignore] pam_duo.so auth requisite pam_deny.so auth required pam_permit.so
System-wide Authentication –
auth [success=1 default=ignore] pam_unix.so nullok_secure auth requisite pam_deny.so auth required pam_permit.so
#auth [success=1 default=ignore] pam_unix.so nullok_secure auth requisite pam_unix.so nullok_secure auth [success=1 default=ignore] pam_duo.so auth requisite pam_deny.so auth required pam_permit.so
At this point you should be able to SSH into the box (try it from localhost first) and be prompted to enroll in DUO Security (you only have to do this once per account/device). Finish the instructions at the web link provided and you should be good to go!