Cisco Duo failing for Virtual TTY's on a Linux installtion

mtttrf · ‎07-11-2024

Hello I have a working installation of Duo on Rocky Linux 9.x. SSH is able to push a login request, GUI is able to push a login request but Virtual Terminals and local console logins are not. This is the output from /var/log/secure:

Jul 11 15:05:34 localhost login[16610]: starting Duo Unix: PAM Duo
Jul 11 15:05:41 localhost login[16610]: Failsecure Duo login for 'user1': Couldn't connect to api-xxxxxxx.duosecurity.com: Failed to connect
Jul 11 15:05:43 localhost login[16610]: FAILED LOGIN 1 FROM tty3 FOR user1, Authentication failure

Using SSH to login to the same machine:

Jul 11 15:20:15 localhost sshd[18666]: starting Duo Unix: PAM Duo
Jul 11 15:20:32 localhost sshd[18666]: Successful Duo login for 'user1' from 10.0.1.119
Jul 11 15:20:32 localhost sshd[18664]: Accepted keyboard-interactive/pam for user1 from 10.0.1.119 port 39716 ssh2
Jul 11 15:20:32 localhost sshd[18664]: pam_unix(sshd:session): session opened for user user1(uid=1000) by user1(uid=0)

And successfully via GUI.

I have tried edits in BOTH /etc/pam.d/system-auth and /etc/pam.d/login together and separately and all scenarios end with the same error.

system-auth:

# Generated by authselect on Thu Jun 20 14:10:00 2024
# Do not modify this file manually.

auth        required                                     pam_env.so
auth        required                                     pam_faildelay.so delay=2000000
#auth        required                                  /lib64/security/pam_duo.so

auth        requisite                                    pam_unix.so nullok try_first_pass


auth        required                                   /lib64/security/pam_duo.so
auth        sufficient                                   pam_fprintd.so
auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular
auth        [default=1 ignore=ignore success=ok]         pam_localuser.so
#auth        requisite                                    pam_unix.so nullok

#auth       sufficient                                   /lib64/security/pam_duo.so
auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular
auth        sufficient                                   pam_sss.so forward_pass
auth        required                                     pam_deny.so

account     required                                     pam_unix.so
account     sufficient                                   pam_localuser.so
account     sufficient                                   pam_usertype.so issystem
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required                                     pam_permit.so

password    requisite                                    pam_pwquality.so local_users_only
password    sufficient                                   pam_unix.so sha512 shadow nullok use_authtok
password    [success=1 default=ignore]                   pam_localuser.so
password    sufficient                                   pam_sss.so use_authtok
password    required                                     pam_deny.so

session     optional                                     pam_keyinit.so revoke
session     required                                     pam_limits.so
-session    optional                                     pam_systemd.so
session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
session     requisite                                     pam_unix.so
#session            sufficient                                  /lib64/security/pam_duo.so
session     optional                                     pam_sss.so

Login:

[root@localhost pam.d]# cat login
#%PAM-1.0
#auth       substack     system-auth
auth       include      postlogin
auth  required pam_env.so
auth  requisite pam_unix.so nullok try_first_pass
auth  sufficient /lib64/security/pam_duo.so
auth  requisite pam_succeed_if.so uid >= 1000 quiet_success
auth  required pam_deny.so

account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    include      postlogin
-session   optional     pam_ck_connector.so

Duo version installed:

[root@localhost pam.d]# rpmquery duo_unix
duo_unix-2.0.3-0.el9.x86_64

This has me stumped, any help would be appreciated, thanks in advance.

mtttrf · ‎07-12-2024

I've been running through various *nix variants to test and troubleshoot. I've found a couple of issues with the explicit path to /lib64/security/xxx. In Ubuntu if you symlink to /lib/security Ubuntu and Debian work as advertised with only entries to common-auth. Symlink does not work for this issue with RHEL/Centos/Rocky. I still get an error :

Jul 12 20:21:32 rockytpltcli login[905]: starting Duo Unix: PAM Duo
Jul 12 20:21:39 rockytpltcli login[905]: Failsafe Duo login for 'user1': Couldn't connect to api-xxxxxxx.duosecurity.com: Failed to connect
Jul 12 20:21:39 rockytpltcli login[905]: pam_unix(login:session): session opened for user user1(uid=1000) by user1(uid=0)

I'm not sure what I can do about this issue :(.

DuoKristina · ‎07-19-2024

Failsecure Duo login for 'user1': Couldn't connect to api-xxxxxxx.duosecurity.com: Failed to connect

This doesn't really point to it being a PAM issue. Usually this output is seen for a connectivity issue from the host to our service.

Try enabling PAM debug logging on pam_duo.so to see more details about what the Duo module is actually doing.

This should work for Rocky too: https://help.duo.com/s/article/5095?language=en_US.

Duo, not DUO.