cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3482
Views
0
Helpful
7
Replies

2FA with Public Key Authentication and Password for SSH with PAM Support (pam_duo)

tenajsystems
Level 1
Level 1

I have followed this link: Duo Unix - 2FA for SSH with PAM Support (pam_duo) | Duo Security on how to setup DUO 2FA with Public Key Authentication. Is there a way to also add Password Authentication to it so that Users who decide to use SSH keys only have to accept the DUO prompt(and not have to type in their password) and users who decide to not use SSH keys but use password will get the DUO prompt?

Any assistance with this would be very much appreciated.

7 Replies 7

Amy2
Level 5
Level 5

Hi tenajsystems,

What you are asking for is possible, but not wholeheartedly recommended. In your /etc/ssh/sshd_config file you can set:

UsePAM no
ChallengeResponseAuthentication no
PasswordAuthentication yes
PubKeyAuthentication yes
PasswordAuthentication yes
ForceCommand /usr/sbin/login_duo

This configuration does not use PAM.

We do not completely support this method because of a potential security risk from using ForceCommand to open a new shell. There is potential for someone to configure the bashrc to open a shell before the shell protected by Duo loads.

tenajsystems
Level 1
Level 1

@Amy Can what I described be done with PAM(using the pam_duo and not the login_duo)?

No, you can only achieve what you describe using the login_duo.

leffler_media
Level 1
Level 1

Is this still impossible to do only using pam_duo?

Hi @leffler_media,
Yes, this is still not possible with pam_duo. If you would like to use either password or SSH key authentication with Duo Unix, it can only be done with login_duo per the article linked here. If you wanted to use both pubkey and password, that is possible with pam_duo. See the article How do I enable pam_duo to use both passwords and public key authentication?

When will Duo have this working with pam_duo? Duo should offer an option that is flexible enough to allow the option of either password or public key without introducing another security risk or providing an option that they don’t fully recommend.

Hi David, there is currently no ETA for when this will be available, and we are not able to share timelines publicly in the Community anyway due to the fact that timelines may change with evolving circumstances. There is an open feature request for this functionality, however, and it is under consideration for the future. Anyone who is interested should contact Duo Support, or their Customer Success Manager or Account Executive, if applicable, to be added to the request.

Quick Links