Deploying Multi-factor Authentication for Linux/Unix
Deploying Multi-factor Authentication for Linux/Unix
Note: this page is concerned with configuring multi-factor authentication to protect a server and is targeted towards IT staff. Multi-factor authentication is also available to all campus users to protect email and access.caltech accounts. For more information about multi-factor authentication for all campus users, see Multi-factor Authentication.
This page contains instructions for configuring a system to require Multi-factor Authentication using Duo in order to connect via SSH.
Important notes
- If you don't need to access a system remotely, remote access should be disabled
- If you need to allow remote access to a system, you should place network level restrictions on remote access, regardless of whether or not you require multi-factor
- Do not allow more than one method of remote access. This page concerns SSH, following these instructions will result in multi-factor being required for SSH, not other methods of remote access
Prerequisites
- SSH users need to be added as users in Duo, if they haven't been already. Contact the Help Desk for Duo user management requests.
- The system on which Duo will be added must allow network traffic to Duo's servers
Getting started
Email security@caltech.edu with the following information:
- Server name
- Integration type (the service to be protected, e.g. SSH, Microsoft RDP, etc.)
We will respond with a GPG encrypted file (or password protected zip file) containing a set of Duo API keys. The secret key must remain confidential. If you ever have any doubts about the confidentiality of your Duo secret key, tell us immediately and we can easily generate a new key for you. Use the Duo keys when following the service specific instructions to configure your system to require multi-factor authentication.
Pam_duo vs login_duo
Duo offers two methods of integrating multi-factor authentication to protect SSH logins. The recommended method is pam_duo, which supports SSH and local logins. The alternative method is login_duo. See the links below for more information. The rest of this document concerns using pam_duo. You should use pam_duo, unless there is a good reason not to.
Installing Duo
At this point, you should have already received a set of Duo API keys from Information Security including: API Hostname, Integration Key, and Secret Key
- Download and extract the latest version of duo_unix (checksum for verification). Change to the extracted directory (note your actual extracted directory name reflects the version downloaded; the example syntax below references version 1.10.1).
$ wget https://dl.duosecurity.com/duo_unix-latest.tar.gz
$ tar zxf duo_unix-latest.tar.gz
$ cd duo_unix-1.10.1
- Build and install duo_unix with PAM support ( pam_duo). (For advanced build options, see the README file in the source tarball.)
$ ./configure --with-pam --prefix=/usr && make && sudo make install
- Once duo_unix is installed, edit /etc/duo/pam_duo.conf (in /etc/duo or /etc/security) to add the integration key, secret key, and API hostname from your Duo Unix application.
[duo] ;
Duo integration key ikey = INTEGRATION_KEY ;
Duo secret key skey = SECRET_KEY ;
Duo API hostname host = API_HOSTNAME;
Public Key Authentication
- If you would like to use pam_duo with SSH public key authentication, make the following changes to your sshd_config file (usually in /etc or /etc/ssh).
PubkeyAuthentication yes
PasswordAuthentication no
AuthenticationMethods publickey,keyboard-interactive
Note that you cannot support a choice of either password or key authentication on the same SSH service if you are also requiring Duo. Duo will work with password authentication and it will work with key authentication, but not both forms of authentication on the same service.
PAM Configuration
- You'll need to modify your system's PAM configuration to include a line like the following:
auth required pam_duo.so
The location of this line and the specified control flag (e.g. "required", "requisite", "sufficient") varies. For most common configurations, place pam_duo directly after pam_unix (frequently found in common-auth or system-auth on Linux), set pam_unix's control flag to "requisite", and set pam_duo's control flag to whatever pam_unix used to be.
If you want to use pam_duo with your installation of OpenSSH sshd, set both UsePAM and ChallengeResponseAuthentication to yes in your sshd_config file (usually in /etc or /etc/ssh). You should also set UseDNS to no so that PAM Duo is always passed the IP address of the connecting user, rather than the resolved hostname.
UsePAM yes
ChallengeResponseAuthentication yes
UseDNS no
PAM examples
- Amazon Linux
/etc/pam.d/system-auth
Before:
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
After:
auth required pam_env.so
# auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_unix.so nullok try_first_pass
auth sufficient pam_duo.so
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
SSH Public Key Authentication
/etc/pam.d/sshd
Before:
auth required pam_sepermit.so
auth substack password-auth
After:
auth required pam_sepermit.so
# auth substack password-auth
auth required pam_duo.so
Now when you SSH to this server you should see a duo prompt.