06-19-2019 09:09 AM
I have followed this link: Duo Unix - 2FA for SSH with PAM Support (pam_duo) | Duo Security on how to setup DUO 2FA with Public Key Authentication. Is there a way to also add Password Authentication to it so that Users who decide to use SSH keys only have to accept the DUO prompt(and not have to type in their password) and users who decide to not use SSH keys but use password will get the DUO prompt?
Any assistance with this would be very much appreciated.
06-21-2019 11:10 AM
Hi tenajsystems,
What you are asking for is possible, but not wholeheartedly recommended. In your /etc/ssh/sshd_config file you can set:
UsePAM no
ChallengeResponseAuthentication no
PasswordAuthentication yes
PubKeyAuthentication yes
PasswordAuthentication yes
ForceCommand /usr/sbin/login_duo
This configuration does not use PAM.
We do not completely support this method because of a potential security risk from using ForceCommand to open a new shell. There is potential for someone to configure the bashrc to open a shell before the shell protected by Duo loads.
06-21-2019 11:26 AM
@Amy Can what I described be done with PAM(using the pam_duo and not the login_duo)?
06-21-2019 11:29 AM
No, you can only achieve what you describe using the login_duo.
01-28-2022 09:02 AM
Is this still impossible to do only using pam_duo?
02-03-2022 08:48 AM
Hi @leffler_media,
Yes, this is still not possible with pam_duo. If you would like to use either password or SSH key authentication with Duo Unix, it can only be done with login_duo per the article linked here. If you wanted to use both pubkey and password, that is possible with pam_duo. See the article How do I enable pam_duo to use both passwords and public key authentication?
02-27-2022 05:12 AM
When will Duo have this working with pam_duo? Duo should offer an option that is flexible enough to allow the option of either password or public key without introducing another security risk or providing an option that they don’t fully recommend.
02-28-2022 06:03 AM
Hi David, there is currently no ETA for when this will be available, and we are not able to share timelines publicly in the Community anyway due to the fact that timelines may change with evolving circumstances. There is an open feature request for this functionality, however, and it is under consideration for the future. Anyone who is interested should contact Duo Support, or their Customer Success Manager or Account Executive, if applicable, to be added to the request.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide