12-09-2022 09:19 AM
I’m on a Mac with Ventura and wondering if I can add MFA to OpenSSH. It seems from this link that Duo Authentication only works for console logins (eg: NOT ssh) and to try Duo Unix if needing MFA for SSH Login protection. On the Duo Unix page however, many platforms are listed under Build and Install from Source however Mac OS isn’t one of them.
Anyone know if Mac OS works with Duo Unix or not?
Seems to be like one one person tried it in 2017. I downloaded Duo Unix today and tried building it but something is funky with the compiler flags. When running ./configure
per the instructions I get:
checking whether compiling and linking against OpenSSL works... no
configure: error: in `/Users/tblader/src/duo/duo_unix-2.0.0':
configure: error: OpenSSL not found
See `config.log' for more details
Buuuut… OpenSSL has been installed via brew
:
$ brew search openssl
==> Formulae
glib-openssl openslp opensc opencsg
openssl@1.1 ✔ openssh open-sp openmsx
openssl@3 ✔
I’ve exported the proper variables as directed by the brew install
command:
export LDFLAGS="-L/opt/homebrew/opt/openssl@3/lib"
export CPPFLAGS="-I/opt/homebrew/opt/openssl@3/include"
So I looked in config.log
and found the compiler and linker commands along with the conftest.c
program it was trying to compile:
Trying link with OPENSSL_LDFLAGS=; OPENSSL_LIBS=; OPENSSL_INCLUDES=
configure:13095: gcc -o conftest -Wall -D_FORTIFY_SOURCE=2 -fPIE -fstack-protector -I/opt/homebrew/opt/openssl@3/include conftest.c >&5
Undefined symbols for architecture arm64:
"_SSL_new", referenced from:
_main in conftest-1753b3.o
ld: symbol(s) not found for architecture arm64
clang: error: linker command failed with exit code 1 (use -v to see invocation)
#include <openssl/ssl.h>
int main ()
{
SSL_new(NULL);
return 0;
}
configure:13103: result: no
I made a conftest.c
source file and tried compiling it by hand to make sure I was getting all the error messages:
$ export LDFLAGS="-L/opt/homebrew/opt/openssl@3/lib"; export CPPFLAGS="-I/opt/homebrew/opt/openssl@3/include"
$ gcc -o conftest -Wall -D_FORTIFY_SOURCE=2 -fPIE -fstack-protector -I/opt/homebrew/opt/openssl@3/include conftest.c
Undefined symbols for architecture arm64:
"_SSL_new", referenced from:
_main in conftest-c151b6.o
ld: symbol(s) not found for architecture arm64
clang: error: linker command failed with exit code 1 (use -v to see invocation)
Is this supposed to work or is this the reason MacOS isn’t listed on the Duo Unix page?
12-10-2022 03:18 PM
Hello @Tee
Welcome to Duo Security Community
Yes, our officially supported method to protect macOS is Duo Authentication for macOS.
It is possible to install Duo Unix on macOS, but we do not officially support this integration so please proceed at your own risk.
Please contact Duo Support to be added to the feature request.
12-12-2022 04:38 AM
Hiro,
Thank you for clarifying. Our org has a new-ish security policy stating mandatory MFA for remote (ssh) access, and not just console logins, so kind of need to have this working… or tell everyone we need to switch from mac to a device with more complete support and that would not go so well.
After a lot of digging around the internet, I was able to get duo_unix-2.0.0 compiled over the weekend by symlinking openssl from the homebrew install location → /usr/local/include/openssl
.
MFA with ssh is working for now but I’ll work with our Duo admins to get a feature request in.
Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide