Can't find what you're looking for? Contact Sales or Contact Support.
Can't find what you're looking for? Contact Sales or Contact Support.
Duo can be easily added to any Unix system to protect remote (SSH) or local logins with the addition of a simple pam_duo PAM module. It has been tested on Linux (RedHat, Fedora, CentOS, Debian, Ubuntu, Amazon Linux), BSD (FreeBSD, NetBSD, OpenBSD), Solaris, HP-UX, and AIX. The code is open-source and available on GitHub.
Duo Unix with Pluggable Authentication Modules (PAM) support provides a secure and customizable method for protecting Unix and Linux logins. We recommend deploying the pam_duo module in most scenarios, but if you are unable to use PAM see our login_duo instructions.
Before starting:
This integration communicates with Duo's service on TCP port 443. Also, we do not recommend locking down your firewall to individual IP addresses, since these may change over time to maintain our service's high availability.
pam_duo PrerequisitesOpenSSL development headers and libraries are required for pam_duo, as well as libpam. When compiling on SUSE/SLES, the zlib package is also necessary.
| Dependency | Platform | Installation |
|---|---|---|
| OpenSSL | FreeBSD, NetBSD | Installed by default |
| Debian, Ubuntu | apt-get install libssl-dev |
|
| Red Hat, Fedora, CentOS, Amazon Linux | yum install openssl-devel |
|
| SUSE/SLES | zypper install libopenssl-devel |
|
| Solaris | pkg install openssl |
|
| HP-UX, AIX | 3rd party packages or source build | |
| libpam | FreeBSD, NetBSD, Solaris, HP-UX, AIX | Installed by default |
| Debian, Ubuntu | apt-get install libpam-dev |
|
| Red Hat, Fedora, CentOS, Amazon Linux | yum install pam-devel |
|
| SUSE/SLES | zypper install pam-devel |
|
| zlib | SUSE/SLES | zypper install zlib-devel |
You also need a compiler like gcc installed on your system to build Duo Unix.
pam_duoOnce the required dependencies are built and installed, download, build, and install duo_unix.
Download and extract the latest version of duo_unix (checksum). Change to the extracted directory (note your actual extracted directory name reflects the actual version downloaded; the example syntax below references version 1.9.19).
$ wget https://dl.duosecurity.com/duo_unix-latest.tar.gz
$ tar zxf duo_unix-latest.tar.gz
$ cd duo_unix-1.9.19
Build and install duo_unix with PAM support ( pam_duo).
$ ./configure --with-pam --prefix=/usr && make && sudo make installFor advanced build options, see the README file in the source tarball.
Once duo_unix is installed, edit /etc/duo/pam_duo.conf (in /etc/duo or /etc/security) to add the integration key, secret key, and API hostname from your Duo Unix application.
[duo]
; Duo integration key
ikey = INTEGRATION_KEY
; Duo secret key
skey = SECRET_KEY
; Duo API hostname
host = API_HOSTNAMEYou may also add optional Duo configuration options to pam_duo.conf. See the table in Duo Configuration Options for all available settings.
If you would like to use pam_duo with SSH public key authentication, make the following changes to your sshd_config file (usually in /etc or /etc/ssh).
This feature is only available with OpenSSH 6.2+, SSH protocol 2, and Duo Unix 1.9.15 or later.
PubkeyAuthentication yes
PasswordAuthentication no
AuthenticationMethods publickey,keyboard-interactiveWe recommend leaving a root shell open while making any changes to your PAM configuration, in order to prevent accidentally locking yourself out. Additionally, always make sure your PAM configuration works locally before testing it with SSH logins.
You'll need to modify your system's PAM configuration to include a line like the following:
auth required pam_duo.soDepending on your OS or architecture, the pam_duo.so module might be in /lib64/security instead of the default location /lib/security. If so, specify the full path to pam_duo.so in the PAM config file, such as /lib64/security/pam_duo.so.
The location of this line and the specified control flag (e.g. "required", "requisite", "sufficient") varies. For most common configurations, place pam_duo directly after pam_unix (frequently found in common-auth or system-auth on Linux), set pam_unix's control flag to "requisite", and set pam_duo's control flag to whatever pam_unix used to be.
If you want to use pam_duo with your installation of OpenSSH sshd, set both UsePAM and ChallengeResponseAuthentication to yes in your sshd_config file (usually
in /etc or /etc/ssh). You should also set UseDNS to no so that PAM Duo is always passed the IP address of the connecting user, rather than the resolved hostname.
UsePAM yes
ChallengeResponseAuthentication yes
UseDNS noPAM configuration examples for common Linux systems:
Remember that you may need to specify the full path to pam_duo.so in the PAM config file, such as /lib64/security/pam_duo.so if the module is not in the default location /lib/security.
SSH Public Key Authentication
/etc/pam.d/sshd
Before:
#%PAM-1.0
auth include system-auth
After:
#%PAM-1.0
#auth include system-auth
auth required pam_env.so
auth sufficient pam_duo.so
auth required pam_deny.so
If you are running SELinux you must also update your policies to include authlogin_duo (run from the location where you built Duo Unix):
sudo make -C pam_duo semodule
sudo make -C pam_duo semodule-install
This allows sshd to make outgoing HTTP connections, which is required for Duo authentication to complete.
Verify that your SELinux configuration has been updated to include Duo:
$ semodule -l | grep duo
The semodule output show include
authlogin_duo 1.0
System-wide Authentication
/etc/pam.d/system-auth
Before:
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.soAfter:
auth required pam_env.so
# auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_unix.so nullok try_first_pass
auth sufficient pam_duo.so
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.soSSH Public Key Authentication
/etc/pam.d/sshd
Before:
#%PAM-1.0
auth required pam_sepermit.so
auth include password-authAfter:
#%PAM-1.0
auth required pam_sepermit.so
#auth include password-auth
auth required pam_env.so
auth sufficient pam_duo.so
auth required pam_deny.soIf you are running SELinux you must also update your policies to include authlogin_duo (run from the location where you built Duo Unix):
sudo make -C pam_duo semodule
sudo make -C pam_duo semodule-install
This allows sshd to make outgoing HTTP connections, which is required for Duo authentication to complete.
Verify that your SELinux configuration has been updated to include Duo:
$ semodule -l | grep duo
The semodule output show include
authlogin_duo 1.0
System-wide Authentication
/etc/pam.d/system-auth
Before:
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.soAfter:
auth required pam_env.so
# auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_unix.so nullok try_first_pass
auth sufficient pam_duo.so
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.soSSH Public Key Authentication
/etc/pam.d/sshd
Before:
#%PAM-1.0
auth required pam_sepermit.so
auth substack password-auth
auth include postloginAfter:
#%PAM-1.0
auth required pam_sepermit.so
#auth substack password-auth
auth required pam_env.so
auth sufficient pam_duo.so
auth required pam_deny.so
auth include postloginIf you are running SELinux you must also update your policies to include authlogin_duo (run from the location where you built Duo Unix):
sudo make -C pam_duo semodule
sudo make -C pam_duo semodule-install
This allows sshd to make outgoing HTTP connections, which is required for Duo authentication to complete.
Verify that your SELinux configuration has been updated to include Duo:
$ semodule -l | grep duo
The semodule output show include
authlogin_duo 1.0
System-wide Authentication
/etc/pam.d/system-auth
Before:
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.soAfter:
auth required pam_env.so
# auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_unix.so nullok try_first_pass
auth sufficient pam_duo.so
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.soSSH Public Key Authentication
/etc/pam.d/sshd
Before:
@include common-authAfter:
#@include common-auth
auth [success=1 default=ignore] pam_duo.so
auth requisite pam_deny.so
auth required pam_permit.soSystem-wide Authentication
/etc/pam.d/common-auth
Before:
auth [success=1 default=ignore] pam_unix.so nullok_secure
auth requisite pam_deny.soAfter:
# auth [success=1 default=ignore] pam_unix.so nullok_secure
auth requisite pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_duo.so
auth requisite pam_deny.soSSH Public Key Authentication
/etc/pam.d/sshd
Before:
@include common-authAfter:
#@include common-auth
auth [success=1 default=ignore] pam_duo.so
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_cap.soSystem-wide Authentication
/etc/pam.d/common-auth
Before:
auth [success=1 default=ignore] pam_unix.so nullok_secure
auth requisite pam_deny.soAfter:
# auth [success=1 default=ignore] pam_unix.so nullok_secure
auth requisite pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_duo.so
auth requisite pam_deny.soSSH Public Key Authentication
/etc/pam.d/sshd
Before:
@include common-authAfter:
#@include common-auth
auth [success=1 default=ignore] pam_duo.so
auth requisite pam_deny.so
auth required pam_permit.soSystem-wide Authentication
/etc/pam.d/common-auth
Before:
auth [success=1 default=ignore] pam_unix.so nullok_secure
auth requisite pam_deny.so
auth required pam_permit.soAfter:
# auth [success=1 default=ignore] pam_unix.so nullok_secure
auth requisite pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_duo.so
auth requisite pam_deny.so
auth required pam_permit.soSSH Public Key Authentication
/etc/pam.d/sshd
Before:
#%PAM-1.0
auth include system-authAfter:
#%PAM-1.0
#auth include system-auth
auth required pam_env.so
auth sufficient pam_duo.so
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.soIf you are running SELinux you must also update your policies to include authlogin_duo (run from the location where you built Duo Unix):
sudo make -C pam_duo semodule
sudo make -C pam_duo semodule-install
This allows sshd to make outgoing HTTP connections, which is required for Duo authentication to complete.
Verify that your SELinux configuration has been updated to include Duo:
$ semodule -l | grep duo
The semodule output show include
authlogin_duo 1.0
System-wide Authentication
/etc/pam.d/system-auth
Before:
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.soAfter:
auth required pam_env.so
# auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_unix.so nullok try_first_pass
auth sufficient pam_duo.so
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.soSSH Public Key Authentication
/etc/pam.d/sshd
Before:
#%PAM-1.0
auth required pam_sepermit.so
auth include password-authAfter:
#%PAM-1.0
auth required pam_sepermit.so
#auth include password-auth
auth required pam_env.so
auth sufficient pam_duo.so
auth required pam_deny.soIf you are running SELinux you must also update your policies to include authlogin_duo (run from the location where you built Duo Unix):
sudo make -C pam_duo semodule
sudo make -C pam_duo semodule-install
This allows sshd to make outgoing HTTP connections, which is required for Duo authentication to complete.
Verify that your SELinux configuration has been updated to include Duo:
$ semodule -l | grep duo
The semodule output show include
authlogin_duo 1.0
System-wide Authentication
/etc/pam.d/system-auth
Before:
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.soAfter:
auth required pam_env.so
# auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_unix.so nullok try_first_pass
auth sufficient pam_duo.so
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.soSSH Public Key Authentication
/etc/pam.d/sshd
Before:
#%PAM-1.0
auth required pam_sepermit.so
auth substack password-auth
auth include postloginAfter:
#%PAM-1.0
auth required pam_sepermit.so
#auth substack password-auth
auth required pam_env.so
auth sufficient pam_duo.so
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so
auth include postloginIf you are running SELinux you must also update your policies to include authlogin_duo (run from the location where you built Duo Unix):
sudo make -C pam_duo semodule
sudo make -C pam_duo semodule-install
This allows sshd to make outgoing HTTP connections, which is required for Duo authentication to complete.
Verify that your SELinux configuration has been updated to include Duo:
$ semodule -l | grep duo
The semodule output show include
authlogin_duo 1.0
System-wide Authentication
/etc/pam.d/system-auth
Before:
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.soAfter:
auth required pam_env.so
# auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_unix.so nullok try_first_pass
auth sufficient pam_duo.so
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.soSSH Public Key Authentication
/etc/pam.d/sshd
Before:
@include common-authAfter:
#@include common-auth
auth [success=1 default=ignore] pam_duo.so
auth requisite pam_deny.so
auth required pam_permit.soSystem-wide Authentication
/etc/pam.d/common-auth
Before:
auth [success=1 default=ignore] pam_unix.so nullok_secure
auth requisite pam_deny.so
auth required pam_permit.soAfter:
#auth [success=1 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_duo.so
auth requisite pam_deny.so
auth required pam_permit.soSSH Public Key Authentication
/etc/pam.d/sshd
Before:
@include common-authAfter:
#@include common-auth
auth [success=1 default=ignore] pam_duo.so
auth requisite pam_deny.so
auth required pam_permit.soSystem-wide Authentication
/etc/pam.d/common-auth
Before:
auth [success=1 default=ignore] pam_unix.so nullok_secure
auth requisite pam_deny.so
auth required pam_permit.soAfter:
#auth [success=1 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_duo.so
auth requisite pam_deny.so
auth required pam_permit.soSSH Public Key Authentication
/etc/pam.d/sshd
Before:
@include common-authAfter:
#@include common-auth
auth [success=1 default=ignore] pam_duo.so
auth requisite pam_deny.so
auth required pam_permit.soSystem-wide Authentication
/etc/pam.d/common-auth
Before:
auth [success=1 default=ignore] pam_unix.so nullok_secure
auth requisite pam_deny.so
auth required pam_permit.soAfter:
#auth [success=1 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_duo.so
auth requisite pam_deny.so
auth required pam_permit.soAmazon Linux
/etc/pam.d/system-auth
Before:
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.soAfter:
auth required pam_env.so
# auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_unix.so nullok try_first_pass
auth sufficient pam_duo.so
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.soSSH Public Key Authentication
/etc/pam.d/sshd
Before:
auth required pam_sepermit.so
auth substack password-authAfter:
auth required pam_sepermit.so
# auth substack password-auth
auth required pam_duo.soFreeBSD
/etc/pam.d/system
Before:
# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
# auth sufficient pam_krb5.so no_warn try_first_pass
# auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass nullokAfter:
# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
# auth sufficient pam_krb5.so no_warn try_first_pass
# auth sufficient pam_ssh.so no_warn try_first_pass
# auth required pam_unix.so no_warn try_first_pass nullok
auth requisite pam_unix.so no_warn try_first_pass nullok
auth requisite pam_duo.soSSH Public Key Authentication
/etc/pam.d/sshd
Before:
# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
# auth sufficient pam_krb5.so no_warn try_first_pass
# auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_passAfter:
# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
# auth sufficient pam_krb5.so no_warn try_first_pass
# auth sufficient pam_ssh.so no_warn try_first_pass
# auth required pam_unix.so no_warn try_first_pass
auth required pam_duo.sopam_duoSSH into your newly configured system. If everything is set up correctly, you'll be given an enrollment link:
Copy the enrollment link and paste it into a web browser to complete Duo's enrollment process. After enrolling your authentication device with Duo you'll receive the prompt for additional verification the next time you ssh into your system.
Choose your authentication method and approve the request using your phone or other device.
To more easily install and maintain Duo Unix deployments, we've built Linux packages for a variety of popular distributions. These packages are tested against the specific listed versions of their respective distributions. Please test all packages thoroughly prior to deploying them into your environment to ensure a great experience.
CentOS
Tested against 5.11 32/64-bit, 6.7 32/64-bit, and 7.1 64-bit
Create /etc/yum.repos.d/duosecurity.repo with the following contents:
[duosecurity]
name=Duo Security Repository
baseurl=http://pkg.duosecurity.com/CentOS/$releasever/$basearch
enabled=1
gpgcheck=1Execute the following shell commands:
# rpm --import https://duo.com/RPM-GPG-KEY-DUO
# yum install duo_unix
Ubuntu
Tested against 12.04.5 32/64-bit, 14.04.3 32/64-bit, and 16.04 32/64-bit
Create /etc/apt/sources.list.d/duosecurity.list with the following contents:
deb http://pkg.duosecurity.com/Ubuntu precise mainor
deb http://pkg.duosecurity.com/Ubuntu trusty mainor
deb http://pkg.duosecurity.com/Ubuntu xenial mainExecute the following shell commands:
# curl -s https://duo.com/APT-GPG-KEY-DUO | sudo apt-key add -
# apt-get update && apt-get install duo-unix
Red Hat Enterprise Linux
Tested against 5.10 32/64-bit, 6.4 32/64-bit, and 7.0 64-bit
Create /etc/yum.repos.d/duosecurity.repo with the following contents:
[duosecurity]
name=Duo Security Repository
baseurl=http://pkg.duosecurity.com/RedHat/$releasever/$basearch
enabled=1
gpgcheck=1Execute the following shell commands:
# rpm --import https://duo.com/RPM-GPG-KEY-DUO
# yum install duo_unix
Debian
Tested against 6.0.10 32/64-bit, 7.9 32/64-bit, and 8.2 32/64-bit
Create /etc/apt/sources.list.d/duosecurity.list with the following contents:
deb http://pkg.duosecurity.com/Debian squeeze mainor
deb http://pkg.duosecurity.com/Debian wheezy mainor
deb http://pkg.duosecurity.com/Debian jessie mainExecute the following shell commands:
# curl -s https://duo.com/APT-GPG-KEY-DUO | sudo apt-key add -
# apt-get update && apt-get install duo-unix
For environments that utilize Puppet we offer a module to deploy and manage Duo Unix. This module will handle configuration of our Linux package repositories, package installation, and configuration of either login_duo or pam_duo. If you'd like to contribute to its development, please visit our Github project page.
To install the module for deployment:
# puppet module install duosecurity/duo_unixPlease be sure to view the README for details on configuration options and example usage.
Need some help? Take a look at the Duo UNIX or try searching our Knowledge Base. For further assistance, contact Support.
The pam_duo.conf configuration files use the INI format. It can take the following options:
| Key | Required? | Description |
|---|---|---|
ikey
|
Required |
Your integration key {{ if get:ikey }}( |
skey
|
Required | Your secret key |
host
|
Required |
Your API hostname ({{ if get:host }}api-XXXXXXXX.duosecurity.com
|
groups
|
Optional |
If specified, Duo authentication is required only for users whose primary group or supplementary group list matches one of the space-separated pattern lists. A pattern consists of zero or more non-whitespace characters, " A pattern-list is a comma-separated list of patterns. Patterns within pattern-lists may be negated by preceding them with an exclamation mark ("
|
failmode
|
Optional |
On service or configuration errors that prevent Duo authentication, fail "safe" (allow access) or "secure" (deny access). The default is "safe". |
pushinfo
|
Optional |
Include information such as the command to be executed in the Duo Push message. Either "yes" or "no". The default is "no". |
http_proxy
|
Optional |
Use the specified HTTP proxy, same format as the |
autopush
|
Optional |
Either "yes" or "no". Default is "no". If "yes", Duo Unix will automatically send a push login request to the user's phone, falling back on a phone call if push is unavailable. If "no", the user will be prompted to choose an authentication method. When configured with |
motd
|
Optional |
Print the contents of This option is only available for |
prompts
|
Optional |
If a user fails to authenticate with a second factor, Duo Unix will prompt the user to authenticate again. This option sets the maximum number of prompts that Duo Unix will display before denying access. Must be 1, 2, or 3. Default is 3. For example, when When configured with |
accept_env_factor
|
Optional |
Look for factor selection or passcode in the The SSH client will need Default is This option is only available for |
fallback_local_ip
|
Optional |
Duo Unix reports the IP address of the authorizing user, for the purposes of authorization and whitelisting. If Duo Unix cannot detect the IP address of the client, setting If you are using IP whitelisting ([Trusted Networks](/docs/trusted_devices#configuring-trusted-networks)), enabling this option could cause unauthorized logins if the local IP is listed in the whitelist. |
https_timeout
|
Optional |
Set to the number of seconds to wait for HTTPS responses from Duo Security. If Duo Security takes longer than the configured number of seconds to respond to the preauth API call, the configured failmode is triggered. Other network operations such as DNS resolution, TCP connection establishment, and the SSL handshake have their own independent timeout and retry logic. Default is 0, which disables the HTTPS timeout. |
Example configuration file with additional options:
[duo]
ikey=DIXXXXXXXXXXXXXXXXXX
skey=X1hXztPX1rb1X71x1wXkpnmXXvqXXXqqj1XoXbbXu
host=api-xxxxxxxx.duosecurity.com
pushinfo=yes
autopush=yes
For more information, see the man page for login_duo.
