I have submitted a couple feature requests for Offline Authentication for Unix but it would seem that after 4 months, no plan to implement this feature is in sight. It’s to the point where I may have to start looking at other 2FA providers. This is very unfortunate because up until this point, I have had very minimal issues with Duo and I have also received very good support back when I was doing an 802.1x deployment.
Am I the only person who is looking for this feature? Surely there are other Linux heavy environments out there that would LOVE to have this feature. If you also have a need for this feature, I would suggest that you also submit a feature request via Duo’s support system.
Even an answer like, “We plan to implement this feature some time in 2023,” would be more than enough for me.
Sorry, I know this is an older post, but I am also trying to setup offline auth on Ubuntu. I am trying to setup the config you mention but I can't seem to get the pam_duo module to hand-off auth if it fails. It seems to only adhere to the settings related to 'safe' or 'secure' fails meaning if it's setup to fail 'safe' it just allows the logon without passing auth to google-authenticator.
Can you please post some additional details of your config?