Duo Unix: Three New Features You’ll Love
We are fortunate at Duo to have a few brilliant interns work with us each summer. One such intern this summer was David Adrian, a student at the University of Michigan. During his couple months on the team, David worked on numerous projects, including Duo Unix, which easily provides two-factor authentication support for PAM and OpenSSH.
Thanks to David, we are happy to announce a number of enhancements that are available in the current 1.9.4 release. Below is a quick summary of David's contributions to Duo Unix's functionality over the summer.
AutopushDuo Push is the most secure authentication method that Duo provides, so why not use it by default? Enabling autopush = yes in the Duo configuration will skip the method selection prompt and send a push notification straight to your phone. If you’re using autopush, you should also set prompts = 1 to limit the number of prompts a user will receive per login to 1.
In the case that a user doesn't have a push capable phone, autopush will drop to the next available method, usually a phone call.
Message of the DaySince login_duo runs as a ForceCommand in OpenSSH, it prevents the PrintMotd option in sshd_config from functioning as expected. Setting motd = yes in the Duo configuration will cause Duo to print /etc/motd after a successful login.
Environment Passcode/Method SelectionUsing login_duo you can now look for passcodes or method selection in the DUO_PASSCODE environment variable, which is great for people writing scripts that need to login.
First, you’ll need to setup your SSH client to send the DUO_PASSCODE variable. The easiest way to do this is by editing the ~/.ssh/config entry for your host, and adding SendEnv DUO_PASSCODE.
Next, you’ll want to configure the server to accept the DUO_PASSCODE variable. On the server, edit sshd_config to add DUO_PASSCODE to the AcceptEnv line.
Once everything is configured, you can now specify a passcode or method in DUO_PASSCODE before logging in. You can do so with the env command and specifying a passcode or method.
env DUO_PASSCODE=123456 ssh david-devbox env DUO_PASSCODE=push ssh david-devbox
You can acquire Duo Unix from https://dl.duosecurity.com/duo_unix-latest.tar.gz and read more about it at /docs/duounix. Duo Unix is open-source and available on Github at https://github.com/duosecurity/duo_unix/. We welcome pull requests!