Documentation
Duo Unix - Two-Factor Authentication for SSH - Release Notes
Last Updated: June 5th, 2024Contents
Duo can be easily added to any Unix system to protect remote (SSH) or local logins with the addition of a simple pam_duo
PAM module. It has been tested on Linux (RedHat, Fedora, CentOS, Debian, Ubuntu, Amazon Linux), BSD (FreeBSD, NetBSD, OpenBSD), Solaris, and AIX. The code is open-source and available on GitHub.
Download the current release from the Checksums and Downloads page.
duo_unix-2.0.3 - January 16, 2024
- Fixed AIX compilation bug.
- Support script now fetches correct log and PAM files for Solaris and AIX.
- Fedora 34 and 37 are no longer supported.
- Centos 7, Centos Stream 8, Debian 10, and Fedora 38 support is deprecated and will be removed in the next release.
duo_unix-2.0.2 - July 31, 2023
- Make check now successfully runs on Solaris.
- Added package support for Debian 12, Fedora 37, and Fedora 38.
- Fedora 34 support is deprecated and will be removed in the next release.
- Fedora 37 support will also be removed in the next release.
- Ubuntu 18.04 and Debian 9 are no longer supported.
duo_unix-2.0.1 - April 6, 2023
- The duo_unix_support script collects a few additional files for troubleshooting.
- Duo API calls now use SHA512 instead of SHA1 as the HMAC algorithm.
- Ubuntu 18.04 and Debian 9 support is deprecated and will be removed in the next release.
duo_unix-2.0.0 - October 25, 2022
- Updated
su
behavior so that when UserA attemptssu
to UserB then UserB will receive the Duo 2FA request. In previous releases UserA would have received the 2FA request. This behavior is not configurable. See the Duo Unix FAQ for details. -
login_duo
now resets the SIGPIPE handler when it closes its connection. - Added logging when Duo is invoked to assist troubleshooting.
- Updated package signing to SHA512.
duo_unix-1.12.1 - June 2, 2022
- Added package support for Fedora 34, Red Hat 9, CentOS Stream 8, CentOS Stream 9, and Ubuntu 22.04.
- CentOS 8 and Ubuntu 14.04 and 16.04 no longer supported.
- Updated GPG public key for downloading distribution packages; now SHA512 instead of SHA1.
duo_unix-1.12.0 - February 2, 2022
- Duo Unix now uses JSON rather than BSON.
- CentOS 8 and Ubuntu 14.04 and 16.04 support is deprecated and will be removed in the next release.
duo_unix-1.11.5 - November 30, 2021
- Added support for Debian 11.
- Debian 8, CentOS 6 no longer supported. Red Hat 6 no longer supported with packages.
- Fixed MOTD display for non-interactive sessions.
- The support tool now also collects the sudo PAM configuration file.
- Updated pinned certificates.
duo_unix-1.11.4 - May 18, 2020
- Added support for Ubuntu 20.04.
- Added support tool to collect information (e.g. logs and PAM stacks) you can send to Duo Support when troubleshooting issues.
- Ubuntu 12.04 no longer supported.
- Debian 8 and CentOS 6 support is deprecated and will be removed in the next release.
- Updated GPG public key for downloading distribution packages.
duo_unix-1.11.3 - October 2019
- Support for CentOS 8, Red Hat 8, and Debian 10.
- Improved validation of BSON messages.
- Updated GPG public key for downloading distribution packages.
- Ubuntu 12.04 support is deprecated and will be removed in the next release.
duo_unix-1.11.2 - June 2019
- Published a guide to recommended Kerberos configuration for Duo Unix. Thanks to Neal Poole at Facebook for bringing expertise and attention to this topic.
- Updated SELinux policy to allow local logins to use the pam_duo PAM module and made sshd configurable. This requires installation of
selinux-policy-devel
on CentOS and RHEL 7 as a prerequisite. - Added support for spaces in group names when escaped with backslashes in pam_duo.conf and login_duo.conf
- Debian 7 no longer supported.
duo_unix-1.11.1 - November 2018
- Fixed bug causing console login to fail on certain systems.
- Debian 7 support is deprecated and will be removed in the next release.
duo_unix-1.11.0 - October 2018
- Added configuration options for parsing the Duo username out of the GECOS field:
gecos_username_pos
andgecos_delim
. - Support for Debian 9 (Stretch).
- CentOS 5 no longer supported.
duo_unix-1.10.5 - September 2018
- CentOS 5 support is deprecated and will be removed in the next release.
- Fixed a bug that caused a segfault on systems where the hostname wasn't retrievable.
duo_unix-1.10.4 - August 2018
- CentOS 5 support is deprecated and will be removed in a future release.
- Support for TLS 1.2.
- Support for LibreSSL 2.7.0 and up.
- Support for Ubuntu 18.04 (Bionic Beaver).
- Minor memory leak fixes.
- Output a message during authentication when a user is locked out.
- FIPS-compliant when run on a system with FIPS enabled system-wide.
- Sends the hostname to Duo's service so that it appears in the authentication logs.
Note that releases between 1.10.1. and 1.10.4 contained no code changes.
duo_unix-1.10.1 - August 2017
- Fixed bug causing automated tests to fail on OSX.
- Addressed an issue which kept configuration secrets in memory for longer than necessary.
duo_unix-1.10.0 - June 2017
- Added LibreSSL support.
- Added additional GECOS parsing support.
- Increased OSX group count.
duo_unix-1.9.21 - May 2017
- Only allow http_proxy to be defined in configuration file instead of environment. PSA-2017-002
duo_unix-1.9.20 - May 2017
- Fix installation on AIX systems.
- Add support for using OpenSSL 1.1.0.
- Link
libduo
statically to address issues with theldconfig
cache and incompatibilities between versions. - Fixed a bug that produced incorrect SNI when using a proxy.
duo_unix-1.9.19 - August 2016
- Restore the
http_proxy
environment variable after Duo is done. - Added
https_timeout
config option topam_duo
. - Handles missing shell and adds default if not specified in
getpwuid
. - Add SNI support and a guard for systems that don't support SNI.
- Bug fixes for timeouts and fallback ip addresses.
- Debian 6 no longer supported.
duo_unix-1.9.18 - January 2016
- Added HTTP proxy connection error handling.
- Improved compatibility with Solaris and AIX.
- Debian 6 support is deprecated and will be removed in the next release.
duo_unix-1.9.17 - October 2015
- Fixed PAM return code issue.
duo_unix-1.9.16 - October 2015
- Test fixes.
- Compilation fixes.
duo_unix-1.9.15 - September 2015
- SELinux policy module package support.
- PAM module improvements.
- Removed deprecated SHA1 Entrust CA.
duo_unix-1.9.14 - January 2015
- Added SELinux policy module.
- Improve
poll(2)
error handling.
duo_unix-1.9.13 - October 2014
- Bugfixes for signal handling.
duo_unix-1.9.12 - September 2014
- Include https_timeout configuration parameter.
- IPv6 support on systems that have
getaddrinfo
.
duo_unix-1.9.11 - April 2014
- Improve compatibility with FreeBSD 10.
duo_unix-1.9.10 - April 2014
- Use the correct timeout when polling.
duo_unix-1.9.9 - April 2014
- Use poll(2) instead of select(2) for timeouts to support busy systems with many open file descriptors.
- Send User-Agent header with each request.
duo_unix-1.9.8 - April 2014
- Improve support for SHA2 in HTTPS.
duo_unix-1.9.7 - January 2014
- Allow using accept_env_factor with SSH.
- Allow using autopush with PAM on Mac OS X.
See the CHANGES file on GitHub for extended version history.