Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1254
Views
0
Helpful
6
Replies

Pam_duo is set to autopush=yes and only pushes to mobile, no SMS option

arnjukajr
Level 1
Level 1

‎06-16-2023 06:53 PM

I’m sure I’m missing something obvious. Here’s the config I’m using:

[duo]
ikey =
skey =
host =
pushinfo = yes
autopush = yes

sshd_config:

UsePAM yes
ChallengeResponseAuthentication yes
UseDNS no

PAM config:

auth requisite pam_unix.so nullok_secure
auth [success=1 default=ignore] /lib64/security/pam_duo.so
auth requisite pam_deny.so
auth required pam_permit.so

When I ssh and enter my password it just sits there and pushes to my mobile. If I accept the login it logs me in successfully.

I need it to not autopush to my mobile. I’m using a Yubikey so I need it to give me the 3 options like this:

Enter a passcode or select one of the following options:

  1. Duo Push to XXX-XXX-1111
  2. SMS passcodes to XXX-XXX-1111

Passcode or option (1-2): xxxxxxxxxxxxxxxxxxxxxxxxxx

Because it’s autopush-ing to my mobile, I don’t have the option to use the Yubikey.

If I disable autopush, I get the following in auth.log:

Jun 17 01:30:25-observium1 sshd[1332685]: starting Duo Unix: PAM Duo
Jun 17 01:30:25-observium1 sshd[1332685]: pam_duo(sshd:auth): conversation failed
Jun 17 01:30:25-observium1 sshd[1332685]: Aborted Duo login for ‘username’ from 1.1.1.1: Error gathering user response
Jun 17 01:30:27-observium1 sshd[1332685]: Failed password for username from 1.1.1.1 port 55770 ssh2

However, I know the password is correct. As soon as I set it back to autopush, it works.

This is running Ubuntu 22.04 with the latest updates.

Any help is much appreciated.

Labels:
0 Helpful
6 Replies 6

DuoKristina
Cisco Employee
Cisco Employee

‎06-20-2023 07:40 AM

If you have Duo Unix configured for PAM + public key authentication but leave passwords in the in the AuthenticationMethods line of sshd_config and disable autopush then password failure is a common outcome. SSH password authentication doesn’t allow other PAM modules to read input after the initial password, which is why Duo Unix’s PAM module is failing there.

If you want to use passwords for login instead of or in addition to public key authentication, with Duo Unix able to read inputs from the login process (like your Yubikey OTP), take a look at these articles:

How do I enable pam_duo to use both passwords and public key authentication?
How do I enable pam_duo to use passwords instead of public key authentication?

Duo, not DUO.
0 Helpful

arnjukajr
Level 1
Level 1
In response to DuoKristina

‎06-20-2023 08:03 AM

I’ve already looked at that. I’m not using pub key authentication. I’m using password authentication.

I even created a brand new Ubuntu 22.04 VM, did the exact same config and the same thing happened. It only auto-pushes to my mobile. I never get the option to select SMS or phone call auth.

0 Helpful

DuoKristina
Cisco Employee
Cisco Employee
In response to arnjukajr

‎06-20-2023 09:16 AM

Right, that is what I’m saying. The PAM config example you posted (what is in the main duounix doc page for Ubuntu) is not compatible with password authentication. Those two KB articles have exampleDIFFERENT PAM/sshd configs that let someone use password auth. in particular take a look at the “How do I enable pam_duo to use passwords instead of public key authentication?” article and the config file examples for Ubuntu in it.

Duo, not DUO.
0 Helpful

arnjukajr
Level 1
Level 1
In response to DuoKristina

‎06-20-2023 10:41 AM

I just tried that as well. I matched all the settings from that article. Same result though.

[duo]
ikey =
skey =
host =
pushinfo = yes
autopush = yes
prompts = 1

sshd_config:

PubkeyAuthentication no
PasswordAuthentication yes
UsePAM yes
ChallengeResponseAuthentication yes
UseDNS no
#AuthenticationMethods keyboard-interactive
Kb■■■■■■■■■■■■■■■■■■■■cation yes

I had to set sshd_config like this otherwise it failed to start.

Jun 20 00:59:48 ubuntu-duo-test sshd[15985]: Disabled method “keyboard-interactive” in AuthenticationMethods list “keyboard-interactive”
Jun 20 00:59:48 ubuntu-duo-test sshd[15985]: AuthenticationMethods cannot be satisfied by enabled authentication methods
Jun 20 00:59:48 ubuntu-duo-test systemd[1]: ssh.service: Control process exited, code=exited, status=255/EXCEPTION

/etc/pam.d/sshd:

auth required pam_env.so
auth requisite pam_unix.so
auth [success=1 default=ignore] /lib64/security/pam_duo.so
auth requisite pam_deny.so
auth required pam_permit.so

/etc/pam.d/common-auth:

auth [success=1 default=ignore] pam_unix.so nullok_secure
auth requisite pam_unix.so
auth [success=1 default=ignore] /lib64/security/pam_duo.so
auth required pam_deny.so
auth required pam_permit.so

Is there some bug or weird interaction with Ubuntu 22.04 and Duo? Do I need to build from source to get the latest version of Duo maybe? Instead of using apt to install?

0 Helpful

DuoKristina
Cisco Employee
Cisco Employee
In response to arnjukajr

‎06-20-2023 11:00 AM

If you included PasswordAuthentication yes then you didn’t match the settings in that article.

Did you also try it with PasswordAuthentication no?

Duo, not DUO.
0 Helpful

arnjukajr
Level 1
Level 1
In response to DuoKristina

‎06-20-2023 11:15 AM

I tried it both ways. If PasswordAuthentication is no, my login just fails. If it’s yes, it at least works and pushes to my mobile to accept.

I know the password is correct because I’m copy/pasting it.

Do you actually have this working with pam_duo on Ubuntu 22.04?

0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents