Heads Up :
The post you are writing will appear in a public forum. Please ensure all content is appropriate for public consumption. Review the employee guidelines for the community here.
One user is having repeated failures when trying to log onto a server protected by Duo. The failures are limited to the one user. No one else seems to be having any problems.
I tried in no particular order:
restarting sshddisabling selinux.Resetting...
On our linux machines, secure shell (openssh) is configured to only allow designated jump or bastion servers to log in. Access to the jump servers is controlled by duo.
One user, who does not have a supported Android or iOS phone, wants to use a Yub...
For testing I linked a test account to a phone. To test a possible hack, I later associated that same phone with my account. Is there any way to remove the test phone from my account without affecting the test account?
I have tentative approval to move ahead with Duo for 2FA on Linux instead of Okta ASA. I can’t say I am unhappy with that…
So I have a couple of questions. These are not show stoppers but may help to ease the adoption.
Can duo push use other authe...
I originally put this question in the wrong forum so I am trying again here.
Is it possible to configure duo and ssh for linux such that a user only has to log in once a day to any particular server? The idea is to login once and then open as many ot...
Looks like it is still broken – at least in Oracle 8 EPEL.
About two days ago, I upgraded my “backup” jump server running Oracle Linux 8.7 and duo stopped working. I finally tracked it down to the duo_unix package in oracle-EPEL respository for OL8.
...
A couple of more questions if you do not mind:
If we move up to a paid tier will users be able to register their own tokens?
What would be the cost for Duo tokens? I know we’d have to buy at least ten.
You could try a match block for the special accounts
Match User service1, service2, service3, etc
AuthenticationMethods publickey gssapi-with-mic password
It’s making a little more sense now. The user registered his Yubikey as a WebAuthn device. If I understand the documentation, WebAuthn is for authentication from within a browser and is not appropriate for secure shell. Please correct me if I am wron...
Did you make sure that pam_duo.conf was correctly configured?
If it is correct then look at sshd_config. Some options that might be relevant to your situation are:
UsePAM yes
ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keybo...
