I have a working Duo auth for SSH access to a Linux server, but it isn’t quite working as I would like for my environment.
I am looking for the right options so that:
- A user SSH’ing in needs to auth with Duo (easy enough), but it should check the local auth first e.g. if I type in my password wrong the OS should tell reject me before I receive a Duo push
- Duo should be required for sudo, but it should cache the Duo auth - Without Duo if I sudo I am prompted for my password, but then if I sudo again quickly I am not prompted for my password. Same thing should happen with Duo pushes
And, ideally, I would like an option that if a user authenticated to SSH using a keypair instead of a password, that user should not receive a Duo push. This is not a great option security-wise, but the boss is asking if it is an option for one of our applications.
Any suggestions on the right config to make these happen?