Duo Unix - Two-Factor Authentication for SSH (login_duo)

Overview

Duo can be enabled on any Unix system with the addition of a simple login_duo utility. We recommend deploying our pam_duo module with Pluggable Authentication Modules (PAM) support instead of login_duo in most scenarios for the most secure and customizable experience, especially if port forwarding and tunneling is used in your environment.

FIPS Support

Duo Unix is FIPS-compliant as of version 1.10.4 when run on any machine that has an operating system-wide FIPS mode (like CentOS/RedHat 7, Ubuntu 16.04, etc.). No additional flags or options are required.

Walkthrough Video

First Steps

Before moving on to the deployment steps, it's a good idea to familiarize yourself with Duo administration concepts and features like options for applications, available methods for enrolling Duo users, and Duo policy settings and how to apply them. See all Duo Administrator documentation.

Then you'll need to:

1. Sign up for a Duo account.
2. Log in to the Duo Admin Panel and navigate to Applications.
3. Click Protect an Application and locate UNIX Application in the applications list. Click Protect to get your integration key, secret key, and API hostname. You'll need this information to complete your setup. See Protecting Applications for more information about protecting applications in Duo and additional application options.
4. If you plan to build Duo Unix from source, download the latest version of the duo_unix tarball (view checksum). From the command line you can use curl or wget to download the file, like $ wget --content-disposition https://dl.duosecurity.com/duo_unix-latest.tar.gz.

Build and Install from Source

Install login_duo Prerequisites

OpenSSL development headers and libraries are required for login_duo. When compiling on SUSE/SLES, the zlib package is also necessary.

You also need a compiler like gcc installed on your system to build Duo Unix.

Install login_duo

Once the required dependencies are built and installed, build and install duo_unix.

1. Extract the downloaded tarball for duo_unix and change to the extracted directory (note your actual extracted directory name reflects the actual version downloaded; the example syntax below references version 2.0.3). View checksums for Duo downloads here.

   $ tar zxf duo_unix-latest.tar.gz
    $ cd duo_unix-2.0.3

2. Build and install duo_unix.

   $ ./configure --prefix=/usr && make && sudo make install

   For advanced build options, see the README file in the source tarball.

3. Once installed, proceed to Duo configuration.

Install from Linux Packages

To more easily install and maintain Duo Unix deployments, we've built Linux packages for some popular Linux distributions. Duo tests these packages against the specific listed versions of their respective distributions.

Please test all packages thoroughly prior to deploying them into your environment to ensure a great experience. Note that we exclusively provide Duo Unix install packages at pkg.duosecurity.com and cannot guarantee packages obtained from other sources.

When installing Duo Unix from packages, there is no need to also install the build-from-source prerequisites on the target systems.

To download the packages, you'll need Duo's GPG key. The GPG key verifies the Duo Unix package for currently supported OS distributions and versions.

We updated the Duo GPG key for packages on supported distros on May 18, 2020. If you installed Duo Unix from packages before May 2020, be sure to update your previously imported GPG key using command for your distro the before the next time you install or upgrade Duo Unix.

The current Duo GPG key expires in May 2030.

OS distributions identified as no longer supported in the distro-specific packages sections use a previous GPG key. We won't replace or update the GPG key on these EOL versions when it expires, and urge you to update to a supported OS.

[duosecurity]
name=Duo Security Repository
baseurl=https://pkg.duosecurity.com/CentOSStream/$releasever/$basearch
enabled=1
gpgcheck=1

# rpm --import https://duo.com/DUO-GPG-PUBLIC-KEY.asc
# yum install duo_unix

[duosecurity]
name=Duo Security Repository
baseurl=https://pkg.duosecurity.com/CentOS/$releasever/$basearch
enabled=1
gpgcheck=1

# rpm --import https://duo.com/DUO-GPG-PUBLIC-KEY.asc
# yum install duo_unix

[duosecurity]
name=Duo Security Repository
baseurl=https://pkg.duosecurity.com/Fedora/$releasever/$basearch
enabled=1
gpgcheck=1

# rpm --import https://duo.com/DUO-GPG-PUBLIC-KEY.asc
# yum install duo_unix

deb [arch=amd64] https://pkg.duosecurity.com/Ubuntu bionic main

deb [arch=amd64] https://pkg.duosecurity.com/Ubuntu focal main

deb [arch=amd64] https://pkg.duosecurity.com/Ubuntu jammy main

# curl -s https://duo.com/DUO-GPG-PUBLIC-KEY.asc | sudo apt-key add -
# apt-get update && apt-get install duo-unix

# curl -s https://duo.com/DUO-GPG-PUBLIC-KEY.asc | sudo gpg --dearmor -o  /etc/apt/trusted.gpg.d/duo.gpg
# apt-get update && apt-get install duo-unix

[duosecurity]
name=Duo Security Repository
baseurl=https://pkg.duosecurity.com/RedHat/$releasever/$basearch
enabled=1
gpgcheck=1

# rpm --import https://duo.com/DUO-GPG-PUBLIC-KEY.asc
# yum install duo_unix

deb https://pkg.duosecurity.com/Debian stretch main

deb https://pkg.duosecurity.com/Debian buster main

deb https://pkg.duosecurity.com/Debian bullseye main

# curl -s https://duo.com/DUO-GPG-PUBLIC-KEY.asc | sudo apt-key add -
# apt-get update && apt-get install duo-unix

Once the Duo Unix package is installed, proceed to Duo configuration.

Duo Configuration

The login_duo.conf configuration file uses the INI format.

Once duo_unix is installed, edit login_duo.conf (in /etc/duo or /etc/security) to add the integration key, secret key, and API hostname from your Duo Unix application.

You may also add optional Duo configuration options to login_duo.conf. See the table below for all available settings.

[duo]
; Duo integration key
ikey = INTEGRATION_KEY
; Duo secret key
skey = SECRET_KEY
; Duo API hostname
host = API_HOSTNAME

Duo Configuration Options

groups=users,!wheel,!*admin guests

Example configuration file with additional options:

[duo]
ikey=DIXXXXXXXXXXXXXXXXXX
skey=X1hXztPX1rb1X71x1wXkpnmXXvqXXXqqj1XoXbbXu
host=api-xxxxxxxx.duosecurity.com
pushinfo=yes
autopush=yes

For more information, see the man page for login_duo.

Test Your Setup

Verify that Duo Unix works properly, and then enable it for logins.

Test login_duo

As a regular user, test login_duo manually by running

$ /usr/sbin/login_duo

On some systems, you may instead have to run /usr/local/sbin/login_duo.

If everything is set up correctly and your username doesn't exist in Duo, you'll be given an enrollment link:

Visit the URL, enroll your phone, and then try login_duo again, this time adding a command to run after authentication is complete:

$ /usr/sbin/login_duo echo 'YOU ROCK!'

You should see something like this:

If you are having trouble with these steps, or if you aren't getting a Duo login prompt, try running login_duo with the -d flag to enable debug output.

Enable login_duo

To protect remote access via SSH, use login_duo.

To enable two-factor authentication for any SSH login method (password, pubkey, etc.) for any user, edit your sshd_config (usually in /etc or /etc/ssh) to add the following line:

ForceCommand /usr/sbin/login_duo

This ForceCommand directive instructs sshd to run login_duo (to perform two-factor authentication) before any other requested commands. However, according to the sshd documentation: "The command is invoked by using the user's login shell with the -c option." This means that shell rc files (e.g. .bashrc, .cshrc, etc.) execute before login_duo; if users can edit these files, they may be able to disable Duo authentication for their own accounts. Keep in mind that ForceCommand also disables command=. Mitigate these issues by deploying pam_duo instead of login_duo.

We strongly recommend that you disable PermitTunnel and AllowTcpForwarding in your sshd_config when using login_duo to protect SSH logins. Since OpenSSH sets up port forwarding and tunneling before Duo's two-factor challenge, an attacker may be able to access internal services via port forwarding before completing secondary authentication. Adding the following lines to your sshd_config will prevent this scenario:

PermitTunnel no
AllowTcpForwarding no

You can also optionally limit two-factor authentication to a subset of users whose primary or supplementary group is specified in login_duo.conf. For example:

group = wheel

If you'd like to enable Duo only for specific accounts using SSH pubkeys, use the command option in those users' authorized_keys instead. For example, to verify each admin authorized to log into a shared root account, your ~/.ssh/authorized_keys might look something like this:

command="/usr/sbin/login_duo -f user1" ssh-dss FRP...FD== user1@company
command="/usr/sbin/login_duo -f user2" ssh-dss YUX...IO== user2@company

Now restart the SSH service.

This also works for user-local installations (e.g. in $HOME/bin) without root access — just specify the location of login_duo.conf with the -c flag.

Troubleshooting

Need some help? Take a look at the Duo UNIX Frequently Asked Questions (FAQ) page or try searching our Duo UNIX Knowledge Base articles or Community discussions. For further assistance, contact Support.

If you open a support case with Duo, be sure to use the Duo Unix Support Tool to create a tarball you can send to the support engineer to aid with troubleshooting.

Network Diagram

1. SSH connection initiated
2. Primary authentication
3. Duo Unix connection established to Duo Security over TCP port 443
4. Secondary authentication via Duo Security’s service
5. Duo Unix receives authentication response
6. SSH session logged in