Re: Linux ssh pam and KbdInteractive

Tamerlane · ‎12-22-2025

I have set up duo for unix on several ubuntu 20, 22 and 24 machines.

On all machines, the "pamtester -v ssh myname authenticate" command triggers a push, then follows up with prompt for password (as expected.)

On some machines, ssh only requires a password. I can't figure out what is different.

On problem machines I have tried to explicitly set the correct ssh settings, or various combos.

# cat /etc/ssh/sshd_config.d/1-sshd-duo.conf
KbdInteractiveAuthentication yes
UseDNS no
UsePAM yes
PasswordAuthentication no
ChallengeResponseAuthentication yes
#

I think the first 3 are must have . Not sure about the last 2.

Any thoughts ?

Thanks

balaji.bandi · ‎12-23-2025

Check the below document, explain based on the requirement what needs to be configured :

https://duo.com/docs/duounix#pam-configuration

BB

=====Preenayamo Vasudevam=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Tamerlane · ‎12-23-2025

Turns out there was a typo.

I had a working /etc/pam.d/sshd config. I created a script to copy that and other pam.d files to other machines. But I had a typo in the script that copied /etc/pam.d/sshd to /etc/pam.d/ssh. "pamtester ssh" verifies the ssh file is valid even tho it was for a non-existent service. Moving /etc/pam.d/ssh to /etc/pam.d/sshd fixed the issue.

DuoKristina · ‎01-07-2026

@Tamerlane Glad you identified the issue! If it isn't too much trouble would you mind marking this as solved?

Duo, not DUO.