Searched, but this didn’t seem to come up and this seems like something that should have?
Using PAM for DUO and remote logins (the password-auth stack basically) and also for system-auth. My question is this, any way to set two different pam_duo.conf behaviors? So that ppl coming in via ssh for example would get failmode = secure but connections to our management network and consoles, arguably a touch more secure could get failmode = safe?
I 've got both bypassing local users (for now? or forever? Who knows?) but Duo prompting AD accounts.
Without using the login_duo approach (it seems disfavored, right?) since Pam is the recommendation according to the docs, " We recommend deploying the pam_duo module in most scenarios"
And I think it would be more streamlined to boot if possible
With both Duo PAM or LoginDuo, there can only be one config file, and as such one failmode setting.
Unfortunately you cannot have both behaviours for different PAM stacks. This would be an interesting feature and I do recommend reaching out to Duo Support to log a feature request for this and associate it with your account.
My recommendation in your instance would be to be as secure as possible. i.e. use failmode=secure.
At the end of the day the failmode will only define what the behaviour should be when connectivity to the Duo cloud is unavailable.
A potential workaround for this would be to have multiple internet connections from different providers in high availability for your system.
In this way you are best prepared for such outages whilst not compromising security.
Also do note that in a pinch you can always use single-user mode to make configuration changes.