Skip navigation
About Duo
Blog
Careers   Now Hiring!
Admin Login
Documentation

Duo Unix - Two-Factor Authentication for SSH with PAM Support (pam_duo)

Last Updated: November 30th, 2021

Contents

Related

Duo can be easily added to any Unix system to protect remote (SSH) or local logins with the addition of a simple pam_duo PAM module. It has been tested on Linux (RedHat, Fedora, CentOS, Debian, Ubuntu, Amazon Linux), BSD (FreeBSD, NetBSD, OpenBSD), Solaris, and AIX. The code is open-source and available on GitHub.

Duo Network Gateway provides SSH access to internal hosts without a VPN or jump host with trusted endpoint detection and session awareness. Learn more.

Overview

Duo Unix with Pluggable Authentication Modules (PAM) support provides a secure and customizable method for protecting Unix and Linux logins. We recommend deploying the pam_duo module in most scenarios, but if you are unable to use PAM see our login_duo instructions.

Connectivity Requirements

This application communicates with Duo's service on TCP port 443. Firewall configurations that restrict outbound access to Duo's service with rules using destination IP addresses or IP address ranges aren't recommended, since these may change over time to maintain our service's high availability. If your organization requires IP-based rules, please review this Duo KB article.

FIPS Support

Duo Unix is FIPS-compliant as of version 1.10.4 when run on any machine that has an operating system-wide FIPS mode (like Centos/RedHat 7, Ubuntu 16.04, etc.). No additional flags or options are required.

Walkthrough Video

 

First Steps

Before moving on to the deployment steps, it's a good idea to familiarize yourself with Duo administration concepts and features like options for applications, available methods for enrolling Duo users, and Duo policy settings and how to apply them. See all Duo Administrator documentation.

Then you'll need to:

  1. Sign up for a Duo account.
  2. Log in to the Duo Admin Panel and navigate to Applications.
  3. Click Protect an Application and locate UNIX Application in the applications list. Click Protect to get your integration key, secret key, and API hostname. You'll need this information to complete your setup. See Protecting Applications for more information about protecting applications in Duo and additional application options.
  4. If you plan to build Duo Unix from source, download the latest version of the duo_unix tarball (view checksum). From the command line you can use curl or wget to download the file, like $ wget --content-disposition https://dl.duosecurity.com/duo_unix-latest.tar.gz.
Treat your secret key like a password

The security of your Duo application is tied to the security of your secret key (skey). Secure it as you would any sensitive credential. Don't share it with unauthorized individuals or email it to anyone under any circumstances!

Build and Install from Source

Install pam_duo Prerequisites

OpenSSL development headers and libraries are required for pam_duo, as well as libpam. When compiling on SUSE/SLES, the zlib package is also necessary.

Dependency Platform Installation
OpenSSL FreeBSD, NetBSD Installed by default
Debian, Ubuntu apt-get install libssl-dev
Red Hat, Fedora, CentOS, Amazon Linux yum install openssl-devel
SUSE/SLES zypper install libopenssl-devel
Solaris pkg install openssl
AIX 3rd party packages or source build
libpam FreeBSD, NetBSD, Solaris, AIX Installed by default
Debian, Ubuntu apt-get install libpam-dev
Red Hat, Fedora, CentOS, Amazon Linux yum install pam-devel
SUSE/SLES zypper install pam-devel
selinux-policy-devel CentOS 7 & 8, Red Hat 7 & 8 (if using SELinux) yum install selinux-policy-devel
bzip2 CentOS 7 & 8, Red Hat 7 & 8 (if using SELinux) yum install bzip2
zlib SUSE/SLES zypper install zlib-devel

You also need a compiler like gcc installed on your system to build Duo Unix.

Install pam_duo

Once the required dependencies are built and installed, build and install duo_unix.

  1. Extract the downloaded tarball for duo_unix and change to the extracted directory (note your actual extracted directory name reflects the actual version downloaded; the example syntax below references version 1.11.5). View checksums for Duo downloads here.

    $ tar zxf duo_unix-latest.tar.gz
$ cd duo_unix-1.11.5

  2. Build and install duo_unix with PAM support ( pam_duo).

    $ ./configure --with-pam --prefix=/usr && make && sudo make install

    For advanced build options, see the README file in the source tarball.

  3. Once installed, proceed to Duo configuration.

Install from Linux Packages

To more easily install and maintain Duo Unix deployments, we've built Linux packages for some popular Linux distributions. Duo tests these packages against the specific listed versions of their respective distributions. Please test all packages thoroughly prior to deploying them into your environment to ensure a great experience.

When installing Duo Unix from packages, there is no need to also install the build-from-source prerequisites on the target systems.

To download the packages, you'll need Duo's GPG key. The GPG key verifies the Duo Unix package for currently supported OS distributions and versions.

We updated the Duo GPG key for packages on supported distros on May 18, 2020. If you installed Duo Unix from packages before May 2020, be sure to update your previously imported GPG key using command for your distro the before the next time you install or upgrade Duo Unix.

The current Duo GPG key expires in May 2030.

OS distributions identified as no longer supported in the distro-specific packages sections use a previous GPG key. We won't replace or update the GPG key on these EOL versions when it expires, and urge you to update to a supported OS.

CentOS

Tested against 8.0 64-bit and 7.1 64-bit

IMPORTANT:

  • Centos 5 reached end of life on March 31, 2017. Duo Unix 1.11.0 was the last release with CentOS 5 support.

  • Centos 6 reached end of life on November 30, 2020. Duo Unix 1.11.4 was the last release with CentOS 6 support.

Create /etc/yum.repos.d/duosecurity.repo with the following contents:

[duosecurity]
name=Duo Security Repository
baseurl=https://pkg.duosecurity.com/CentOS/$releasever/$basearch
enabled=1
gpgcheck=1

Execute the following shell commands for Centos 7 and later:

# rpm --import https://duo.com/DUO-GPG-PUBLIC-KEY.asc
# yum install duo_unix

Ubuntu

Tested against 20.04 focal 64-bit, 18.04 bionic 64-bit, 16.04 xenial 32/64-bit, and 14.04.3 trusty 32/64-bit.

IMPORTANT: Ubuntu 12.04 reached end of life in April 2017. Duo Unix 1.11.3 was the last release with Ubuntu 12.04 support.

Create /etc/apt/sources.list.d/duosecurity.list with the following contents:

deb https://pkg.duosecurity.com/Ubuntu trusty main

or

deb https://pkg.duosecurity.com/Ubuntu xenial main

or

deb [arch=amd64] https://pkg.duosecurity.com/Ubuntu bionic main

or

deb [arch=amd64] https://pkg.duosecurity.com/Ubuntu focal main

Execute the following shell commands for Ubuntu 14.04 and later:

# curl -s https://duo.com/DUO-GPG-PUBLIC-KEY.asc | sudo apt-key add -
# apt-get update && apt-get install duo-unix

Red Hat Enterprise Linux

Tested against 8.0 64-bit, 7.0 64-bit, and 6.4 32/64-bit.

IMPORTANT: Red Hat 5 reached full end of life on November 30, 2020. Duo Unix 1.11.0 was the last release with Red Hat 5 support.

Create /etc/yum.repos.d/duosecurity.repo with the following contents:

[duosecurity]
name=Duo Security Repository
baseurl=https://pkg.duosecurity.com/RedHat/$releasever/$basearch
enabled=1
gpgcheck=1

Execute the following shell commands for Red Hat 6 and later:

# rpm --import https://duo.com/DUO-GPG-PUBLIC-KEY.asc
# yum install duo_unix

Debian

Tested against 11.0 32/64-bit, 10.0 32/64-bit, 9.5 32/64-bit.

IMPORTANT:

  • Debian 6 reached end of life on May 31, 2015. Duo Unix 1.9.18 was the last release with Debian 6 support.

  • Debian 7 reached end of life on April 26, 2016. Duo Unix 1.11.1 was the last release with Debian 7 support.

  • Debian 8 reached end of life on June 30, 2020. Duo Unix 1.11.4 was the last release with Debian 8 support.

Create /etc/apt/sources.list.d/duosecurity.list with the following contents:

deb https://pkg.duosecurity.com/Debian stretch main

or

deb https://pkg.duosecurity.com/Debian buster main

or

deb https://pkg.duosecurity.com/Debian bullseye main

Execute the following shell commands for Debian 9 and later:

# curl -s https://duo.com/DUO-GPG-PUBLIC-KEY.asc | sudo apt-key add -
# apt-get update && apt-get install duo-unix

Once the Duo Unix package is installed, proceed to Duo configuration.

Duo Configuration

The pam_duo.conf configuration file uses the INI format.

Once duo_unix is installed, edit pam_duo.conf (in /etc/duo or /etc/security) to add the integration key, secret key, and API hostname from your Duo Unix application.

You may also add optional Duo configuration options to pam_duo.conf. See the table below for all available settings.

Example configuration file with additional options:

[duo]
; Duo integration key
ikey = INTEGRATION_KEY
; Duo secret key
skey = SECRET_KEY
; Duo API hostname
host = API_HOSTNAME
pushinfo=yes
autopush=yes

Duo Configuration Options

Key Required? Description
ikey Required Your integration key
skey Required Your secret key
host Required Your API hostname i.e. api-XXXXXXXX.duosecurity.com
groups Optional

If specified, Duo authentication is required only for users whose primary group or supplementary group list matches one of the space-separated pattern lists.

A pattern consists of zero or more non-whitespace characters, "*" (a wild card that matches zero or more characters), or "?" (a wildcard that matches exactly one character).

A pattern-list is a comma-separated list of patterns. Patterns within pattern-lists may be negated by preceding them with an exclamation mark ("!"). For example, to specify Duo authentication for all users (except those that are also admins), and for guests:

groups=users,!wheel,!*admin guests
failmode Optional

On service or configuration errors that prevent Duo authentication, fail "safe" (allow access) or "secure" (deny access). The default is "safe".
pushinfo Optional

Include information such as the command to be executed in the Duo Push message. Either "yes" or "no". The default is "no".
http_proxy Optional

Use the specified HTTP proxy. If the HTTP proxy requires authentication, include the credentials in the proxy URL. Example format: 

http_proxy=http://username:password@proxy.example.org:8080
autopush Optional

Either "yes" or "no". Default is "no". If "yes", Duo Unix will automatically send a push login request to the user's phone, falling back on a phone call if push is unavailable. Note that this effectively disables passcode authentication. If "no", the user will be prompted to choose an authentication method.

When configured with autopush = yes, we recommend setting prompts = 1.
motd Optional

Print the contents of /etc/motd to screen after a successful login. Either "yes" or "no". The default is "no".

This option is only available for login_duo.
prompts Optional

If a user fails to authenticate with a second factor, Duo Unix will prompt the user to authenticate again. This option sets the maximum number of prompts that Duo Unix will display before denying access. Must be 1, 2, or 3. Default is 3.

For example, when prompts = 1, the user will have to successfully authenticate on the first prompt, whereas if prompts = 2, if the user enters incorrect information at the initial prompt, he/she will be prompted to authenticate again.

When configured with autopush = yes, we recommend setting prompts = 1.
accept_env_factor Optional

Look for factor selection or passcode in the $DUO_PASSCODE environment variable before prompting the user for input. When $DUO_PASSCODE is non-empty, it will override autopush.

The SSH client will need SendEnv DUO_PASSCODE in its configuration, and the SSH server will similarly need AcceptEnv DUO_PASSCODE.

Default is "no".

This option is only available for login_duo.
fallback_local_ip Optional

Duo Unix reports the IP address of the authorizing user, for the purposes of authorization and network allow/deny. If Duo Unix cannot detect the IP address of the client, setting fallback_local_ip = yes will cause Duo Unix to send the IP address of the server it is running on.

If you are using Authorized Networks, enabling this option could cause unauthorized logins if the local IP is listed in the allow list.
https_timeout Optional

Set to the number of seconds to wait for HTTPS responses from Duo Security. If Duo Security takes longer than the configured number of seconds to respond to the preauth API call, the configured failmode is triggered. Other network operations such as DNS resolution, TCP connection establishment, and the SSL handshake have their own independent timeout and retry logic.

Default is 0, which disables the HTTPS timeout.

If you specify an https_timeout value for Duo Unix, be sure that you do not set a conflicting socket timeout.
send_gecos Optional

Sends the entire GECOS field as the Duo username.

Default is "no"; the GECOS field is not used or parsed.

If you specify gecos_username_pos and gecos_delim, this setting is ignored.
gecos_username_pos Optional

Specify this option to select what position from the GECOS field will be used as the username. Positions are separated by whatever you specify in gecos_delim or the default delimiter, a comma (,).

For example, if the /etc/passwd entry for a user is:

test_user:x:UID:GID:gecos1,gecos2,gecos3:/home/test_user:/bin/bash

Then setting gecos_username_pos=2 sends gecos2 as the Duo username.

If not configured, the GECOS field is not parsed for the username.

Overrides send_gecos, if set.
gecos_delim Optional

Specify this option to change the default value of the GECOS delimiter from a comma to another character. The new delimiter specified must be exactly one character, and must a valid punctuation character other than a colon (:).

For example, if the /etc/passwd entry for a user is:

test_user:x:UID:GID:gecos1/gecos2/gecos3:/home/test_user:/bin/bash

Then setting gecos_username_pos=3 and gecos_delim=/ sends gecos3 as the Duo username.

If not configured, the default comma (,) GECOS field delimiter is used.

For more information, see the man page for pam_duo.

System Configuration

We recommend leaving a root shell open while making any changes to your PAM or sshd configuration, in order to prevent accidentally locking yourself out. Additionally, always make sure your PAM configuration works locally before testing it with SSH logins.

Public Key Authentication

If you would like to use pam_duo with SSH public key authentication, make the following changes to your sshd_config file (usually in /etc or /etc/ssh).

This feature is only available with OpenSSH 6.2+, SSH protocol 2, and Duo Unix 1.9.15 or later.

PubkeyAuthentication yes
PasswordAuthentication no
AuthenticationMethods publickey,keyboard-interactive

PAM Configuration

You'll need to modify your system's PAM configuration to include a line like the following:

auth required pam_duo.so

Depending on your OS or architecture, the pam_duo.so module might be in /lib64/security instead of the default location /lib/security. If so, specify the full path to pam_duo.so in the PAM config file, such as /lib64/security/pam_duo.so.

The location of this line and the specified control flag (e.g. "required", "requisite", "sufficient") varies. For most common configurations, place pam_duo directly after pam_unix (frequently found in common-auth or system-auth on Linux), set pam_unix's control flag to "requisite", and set pam_duo's control flag to whatever pam_unix used to be.

If you want to use pam_duo with your installation of OpenSSH sshd, set both UsePAM and ChallengeResponseAuthentication to yes in your sshd_config file (usually in /etc or /etc/ssh). You should also set UseDNS to no so that PAM Duo is always passed the IP address of the connecting user, rather than the resolved hostname.

UsePAM yes
ChallengeResponseAuthentication yes
UseDNS no

Be sure to restart the SSH service after making edits to sshd and sshd_config to apply the updated configuration with Duo.

PAM Examples

PAM configuration examples for common Linux systems:

Remember that you may need to specify the full path to pam_duo.so in the PAM config file, such as /lib64/security/pam_duo.so if the module is not in the default location /lib/security.

Note: Running authconfig after editing your PAM config files will overwrite your changes. Do not run authconfig once you edit your PAM files to add Duo.

If you must preserve your ability to run authconfig in the future, use the symbolic link method described in the "Keeping Custom Settings with authconfig" topic in section 4.1.2 of the Red Hat Security Guide.

CentOS 8

System-wide Authentication

/etc/pam.d/system-auth

Before:

auth  required pam_env.so
auth  sufficient pam_unix.so nullok try_first_pass
auth  requisite pam_succeed_if.so uid >= 500 quiet
auth  required pam_deny.so

After:

auth  required pam_env.so
# auth  sufficient pam_unix.so nullok try_first_pass
auth  requisite pam_unix.so nullok try_first_pass
auth  sufficient pam_duo.so
auth  requisite pam_succeed_if.so uid >= 500 quiet
auth  required pam_deny.so

SSH Public Key Authentication

/etc/pam.d/sshd

Before:

#%PAM-1.0
auth  required pam_sepermit.so
auth  substack password-auth
auth  include postlogin

After:

#%PAM-1.0
auth  required pam_sepermit.so
#auth  substack password-auth
auth  required pam_env.so
auth  sufficient pam_duo.so
auth  required pam_deny.so
auth  include postlogin
SELinux

If SELinux is blocking pam_duo from contacting Duo's service then it will invoke the your configured failmode (either safe or secure) and not show a Duo prompt.

If you are running SELinux you must install the selinux-policy-devel prerequisite package and also update your policies to include authlogin_duo (run from the location where you built Duo Unix):

sudo make -C pam_duo semodule
sudo make -C pam_duo semodule-install

This allows sshd to make outgoing HTTP connections, which is required for Duo authentication to complete.

Verify that your SELinux configuration has been updated to include Duo:

$ semodule -l | grep duo

The semodule output should include:

authlogin_duo

There are two adjustable tunables:

pam_duo_permit_local_login allows local logins to use pam_duo (off by default)

pam_duo_permit_sshd allows sshd to use pam_duo (on by default)

To turn on and off the tunables:

sudo setsebool -P pam_duo_permit_sshd on/off
sudo setsebool -P pam_duo_permit_local_login on/off

The -P flag causes the boolean to persist through server restarts.

Note: If the nis_enabled tunable is on then regardless of the value of pam_duo_permit_sshd pam_duo will always be able to access Duo via ssh.

CentOS 7

System-wide Authentication

/etc/pam.d/system-auth

Before:

auth  required pam_env.so
auth  sufficient pam_unix.so nullok try_first_pass
auth  requisite pam_succeed_if.so uid >= 500 quiet
auth  required pam_deny.so

After:

auth  required pam_env.so
# auth  sufficient pam_unix.so nullok try_first_pass
auth  requisite pam_unix.so nullok try_first_pass
auth  sufficient pam_duo.so
auth  requisite pam_succeed_if.so uid >= 500 quiet
auth  required pam_deny.so

SSH Public Key Authentication

/etc/pam.d/sshd

Before:

#%PAM-1.0
auth  required pam_sepermit.so
auth  substack password-auth
auth  include postlogin

After:

#%PAM-1.0
auth  required pam_sepermit.so
#auth  substack password-auth
auth  required pam_env.so
auth  sufficient pam_duo.so
auth  required pam_deny.so
auth  include postlogin
SELinux

If SELinux is blocking pam_duo from contacting Duo's service then it will invoke the your configured failmode (either safe or secure) and not show a Duo prompt.

If you are running SELinux you must install the selinux-policy-devel prerequisite package and also update your policies to include authlogin_duo (run from the location where you built Duo Unix):

sudo make -C pam_duo semodule
sudo make -C pam_duo semodule-install

This allows sshd to make outgoing HTTP connections, which is required for Duo authentication to complete.

Verify that your SELinux configuration has been updated to include Duo:

$ semodule -l | grep duo

The semodule output should include (depending on your specific v7 version):

authlogin_duo   2.1.0

or

authlogin_duo

There are two adjustable tunables:

pam_duo_permit_local_login allows local logins to use pam_duo (off by default)

pam_duo_permit_sshd allows sshd to use pam_duo (on by default)

To turn on and off the tunables:

sudo setsebool -P pam_duo_permit_sshd on/off
sudo setsebool -P pam_duo_permit_local_login on/off

The -P flag causes the boolean to persist through server restarts.

Note: If the nis_enabled tunable is on then regardless of the value of pam_duo_permit_sshd pam_duo will always be able to access Duo via ssh.

CentOS 6

System-wide Authentication

/etc/pam.d/system-auth

Before:

auth  required pam_env.so
auth  sufficient pam_unix.so nullok try_first_pass
auth  requisite pam_succeed_if.so uid >= 500 quiet
auth  required pam_deny.so

After:

auth  required pam_env.so
# auth  sufficient pam_unix.so nullok try_first_pass
auth  requisite pam_unix.so nullok try_first_pass
auth  sufficient pam_duo.so
auth  requisite pam_succeed_if.so uid >= 500 quiet
auth  required pam_deny.so

SSH Public Key Authentication

/etc/pam.d/sshd

Before:

#%PAM-1.0
auth  required pam_sepermit.so
auth  include password-auth

After:

#%PAM-1.0
auth  required pam_sepermit.so
#auth  include password-auth
auth  required pam_env.so
auth  sufficient pam_duo.so
auth  required pam_deny.so
SELinux

If SELinux is blocking pam_duo from contacting Duo's service then it will invoke the your configured failmode (either safe or secure) and not show a Duo prompt.

If you are running SELinux you must also update your policies to include authlogin_duo (run from the location where you built Duo Unix):

sudo make -C pam_duo semodule
sudo make -C pam_duo semodule-install

This allows sshd to make outgoing HTTP connections, which is required for Duo authentication to complete.

Verify that your SELinux configuration has been updated to include Duo:

$ semodule -l | grep duo

The semodule output should include:

authlogin_duo   2.1.0

pam_duo_permit_local_login is a tunable that allows users to use pam_duo with local logins (off by default).

To turn on or off tunable:

sudo setsebool -P pam_duo_permit_local_login on/off

The -P flag causes the boolean to persist through server restarts.

The tunable pam_duo_permit_sshd has no effect. The default SELinux policy allows sshd to use tcp ports so turning this tunable off will not block pam_duo via ssh.

CentOS 5

IMPORTANT: Centos 5 reached end of life on March 31, 2017. Duo Unix 1.11.0 was the last release with CentOS 5 support.

Ubuntu 20.04

System-wide Authentication

/etc/pam.d/common-auth

Before:

auth  [success=1 default=ignore] pam_unix.so nullok_secure
auth  requisite pam_deny.so
auth  required pam_permit.so

After:

# auth  [success=1 default=ignore] pam_unix.so nullok_secure
auth  requisite pam_unix.so nullok_secure
auth  [success=1 default=ignore] pam_duo.so
auth  requisite pam_deny.so
auth  required pam_permit.so

SSH Public Key Authentication

/etc/pam.d/sshd

Before:

@include common-auth

After:

#@include common-auth
auth  [success=1 default=ignore] pam_duo.so
auth  requisite pam_deny.so
auth  required pam_permit.so

Ubuntu 18.04

System-wide Authentication

/etc/pam.d/common-auth

Before:

auth  [success=1 default=ignore] pam_unix.so nullok_secure
auth  requisite pam_deny.so
auth  required pam_permit.so

After:

# auth  [success=1 default=ignore] pam_unix.so nullok_secure
auth  requisite pam_unix.so nullok_secure
auth  [success=1 default=ignore] pam_duo.so
auth  requisite pam_deny.so
auth  required pam_permit.so

SSH Public Key Authentication

/etc/pam.d/sshd

Before:

@include common-auth

After:

#@include common-auth
auth  [success=1 default=ignore] pam_duo.so
auth  requisite pam_deny.so
auth  required pam_permit.so

Ubuntu 16.04

System-wide Authentication

/etc/pam.d/common-auth

Before:

auth  [success=1 default=ignore] pam_unix.so nullok_secure
auth  requisite pam_deny.so
auth  required pam_permit.so

After:

# auth  [success=1 default=ignore] pam_unix.so nullok_secure
auth  requisite pam_unix.so nullok_secure
auth  [success=1 default=ignore] pam_duo.so
auth  requisite pam_deny.so
auth  required pam_permit.so

SSH Public Key Authentication

/etc/pam.d/sshd

Before:

@include common-auth

After:

#@include common-auth
auth  [success=1 default=ignore] pam_duo.so
auth  requisite pam_deny.so
auth  required pam_permit.so

Ubuntu 14.04

System-wide Authentication

/etc/pam.d/common-auth

Before:

auth  [success=1 default=ignore] pam_unix.so nullok_secure
auth  requisite pam_deny.so

After:

# auth  [success=1 default=ignore] pam_unix.so nullok_secure
auth  requisite pam_unix.so nullok_secure
auth  [success=1 default=ignore] pam_duo.so
auth  requisite pam_deny.so

SSH Public Key Authentication

/etc/pam.d/sshd

Before:

@include common-auth

After:

#@include common-auth
auth  [success=1 default=ignore] pam_duo.so
auth  requisite pam_deny.so
auth  required pam_permit.so
auth  optional pam_cap.so

Ubuntu 12.04

IMPORTANT: Ubuntu 12.04 reached end of life in April 2017. Duo Unix 1.11.3 was the last release with Ubuntu 12.04 support.

Note: Running authconfig after editing your PAM config files will overwrite your changes. Do not run authconfig once you edit your PAM files to add Duo.

If you must preserve your ability to run authconfig in the future, use the symbolic link method described in the "Keeping Custom Settings with authconfig" topic in section 4.1.2 of the Red Hat Security Guide.

Red Hat Enterprise Linux 8

System-wide Authentication

/etc/pam.d/system-auth

Before:

auth  required pam_env.so
auth  sufficient pam_unix.so nullok try_first_pass
auth  requisite pam_succeed_if.so uid >= 1000 quiet_success
auth  required pam_deny.so

After:

auth  required pam_env.so
# auth  sufficient pam_unix.so nullok try_first_pass
auth  requisite pam_unix.so nullok try_first_pass
auth  sufficient pam_duo.so
auth  requisite pam_succeed_if.so uid >= 1000 quiet_success
auth  required pam_deny.so

SSH Public Key Authentication

/etc/pam.d/sshd

Before:

#%PAM-1.0
auth  required pam_sepermit.so
auth  substack password-auth
auth  include postlogin

After:

#%PAM-1.0
auth  required pam_sepermit.so
#auth  substack password-auth
auth  required pam_env.so
auth  sufficient pam_duo.so
auth  requisite pam_succeed_if.so uid >= 1000 quiet_success
auth  required pam_deny.so
auth  include postlogin
SELinux

If SELinux is blocking pam_duo from contacting Duo's service then it will invoke the your configured failmode (either safe or secure) and not show a Duo prompt.

If you are running SELinux you must install the selinux-policy-devel prerequisite package and also update your policies to include authlogin_duo (run from the location where you built Duo Unix):

sudo make -C pam_duo semodule
sudo make -C pam_duo semodule-install

This allows sshd to make outgoing HTTP connections, which is required for Duo authentication to complete.

Verify that your SELinux configuration has been updated to include Duo:

$ semodule -l | grep duo

The semodule output should include:

authlogin_duo

There are two adjustable tunables:

pam_duo_permit_local_login allows local logins to use pam_duo (off by default)

pam_duo_permit_sshd allows sshd to use pam_duo (on by default)

To turn on and off the tunables:

sudo setsebool -P pam_duo_permit_sshd on/off
sudo setsebool -P pam_duo_permit_local_login on/off

The -P flag causes the boolean to persist through server restarts.

Note: If the nis_enabled tunable is on then regardless of the value of pam_duo_permit_sshd pam_duo will always be able to access Duo via ssh.

Red Hat Enterprise Linux 7

System-wide Authentication

/etc/pam.d/system-auth

Before:

auth  required pam_env.so
auth  sufficient pam_unix.so nullok try_first_pass
auth  requisite pam_succeed_if.so uid >= 1000 quiet_success
auth  required pam_deny.so

After:

auth  required pam_env.so
# auth  sufficient pam_unix.so nullok try_first_pass
auth  requisite pam_unix.so nullok try_first_pass
auth  sufficient pam_duo.so
auth  requisite pam_succeed_if.so uid >= 1000 quiet_success
auth  required pam_deny.so

SSH Public Key Authentication

/etc/pam.d/sshd

Before:

#%PAM-1.0
auth  required pam_sepermit.so
auth  substack password-auth
auth  include postlogin

After:

#%PAM-1.0
auth  required pam_sepermit.so
#auth  substack password-auth
auth  required pam_env.so
auth  sufficient pam_duo.so
auth  requisite pam_succeed_if.so uid >= 1000 quiet_success
auth  required pam_deny.so
auth  include postlogin
SELinux

If SELinux is blocking pam_duo from contacting Duo's service then it will invoke the your configured failmode (either safe or secure) and not show a Duo prompt.

If you are running SELinux you must install the selinux-policy-devel prerequisite package and also update your policies to include authlogin_duo (run from the location where you built Duo Unix):

sudo make -C pam_duo semodule
sudo make -C pam_duo semodule-install

This allows sshd to make outgoing HTTP connections, which is required for Duo authentication to complete.

Verify that your SELinux configuration has been updated to include Duo:

$ semodule -l | grep duo

The semodule output should include (depending on your specific v7 version):

authlogin_duo   2.1.0

or

authlogin_duo

There are two adjustable tunables:

pam_duo_permit_local_login allows local logins to use pam_duo (off by default)

pam_duo_permit_sshd allows sshd to use pam_duo (on by default)

To turn on and off the tunables:

sudo setsebool -P pam_duo_permit_sshd on/off
sudo setsebool -P pam_duo_permit_local_login on/off

The -P flag causes the boolean to persist through server restarts.

Note: If the nis_enabled tunable is on then regardless of the value of pam_duo_permit_sshd pam_duo will always be able to access Duo via ssh.

Red Hat Enterprise Linux 6

System-wide Authentication

/etc/pam.d/system-auth

Before:

auth  required pam_env.so
auth  sufficient pam_unix.so nullok try_first_pass
auth  requisite pam_succeed_if.so uid >= 1000 quiet_success
auth  required pam_deny.so

After:

auth  required pam_env.so
# auth  sufficient pam_unix.so nullok try_first_pass
auth  requisite pam_unix.so nullok try_first_pass
auth  sufficient pam_duo.so
auth  requisite pam_succeed_if.so uid >= 1000 quiet_success
auth  required pam_deny.so

SSH Public Key Authentication

/etc/pam.d/sshd

Before:

#%PAM-1.0
auth  required pam_sepermit.so
auth  include password-auth

After:

#%PAM-1.0
auth  required pam_sepermit.so
#auth  include password-auth
auth  required pam_env.so
auth  sufficient pam_duo.so
auth  required pam_deny.so
SELinux

If SELinux is blocking pam_duo from contacting Duo's service then it will invoke the your configured failmode (either safe or secure) and not show a Duo prompt.

If you are running SELinux you must also update your policies to include authlogin_duo (run from the location where you built Duo Unix):

sudo make -C pam_duo semodule
sudo make -C pam_duo semodule-install

This allows sshd to make outgoing HTTP connections, which is required for Duo authentication to complete.

Verify that your SELinux configuration has been updated to include Duo:

$ semodule -l | grep duo

The semodule output should include:

authlogin_duo   2.1.0

pam_duo_permit_local_login is a tunable that allows users to use pam_duo with local logins (off by default).

To turn on or off tunable:

sudo setsebool -P pam_duo_permit_local_login on/off

The -P flag causes the boolean to persist through server restarts.

The tunable pam_duo_permit_sshd has no effect. The default SELinux policy allows sshd to use tcp ports so turning this tunable off will not block pam_duo via ssh.

Red Hat Enterprise Linux 5

IMPORTANT: Red Hat 5 reached full end of life on November 30, 2020. Duo Unix 1.11.0 was the last release with Red Hat 5 support.

Debian 11

System-wide Authentication

/etc/pam.d/common-auth

Before:

auth  [success=1 default=ignore] pam_unix.so nullok
auth  requisite pam_deny.so
auth  required pam_permit.so

After:

#auth  [success=1 default=ignore]  pam_unix.so nullok
auth  [success=2 default=ignore]  pam_unix.so nullok
auth  sufficient /lib64/security/pam_duo.so
auth  requisite pam_deny.so
auth  required pam_permit.so

SSH Public Key Authentication

/etc/pam.d/sshd

Before:

@include common-auth

After:

#@include common-auth
auth  required pam_unix.so
auth  sufficient /lib64/security/pam_duo.so
auth required pam_deny.so

Debian 10

System-wide Authentication

/etc/pam.d/common-auth

Before:

auth  [success=1 default=ignore] pam_unix.so nullok_secure
auth  requisite pam_deny.so
auth  required pam_permit.so

After:

#auth  [success=1 default=ignore] pam_unix.so nullok_secure
auth  requisite pam_unix.so nullok_secure
auth  [success=1 default=ignore] pam_duo.so
auth  requisite pam_deny.so
auth  required pam_permit.so

SSH Public Key Authentication

/etc/pam.d/sshd

Before:

@include common-auth

After:

#@include common-auth
auth  [success=1 default=ignore] pam_duo.so
auth  requisite pam_deny.so
auth  required pam_permit.so

Debian 9

System-wide Authentication

/etc/pam.d/common-auth

Before:

auth  [success=1 default=ignore] pam_unix.so nullok_secure
auth  requisite pam_deny.so
auth  required pam_permit.so

After:

#auth  [success=1 default=ignore] pam_unix.so nullok_secure
auth  requisite pam_unix.so nullok_secure
auth  [success=1 default=ignore] pam_duo.so
auth  requisite pam_deny.so
auth  required pam_permit.so

SSH Public Key Authentication

/etc/pam.d/sshd

Before:

@include common-auth

After:

#@include common-auth
auth  [success=1 default=ignore] pam_duo.so
auth  requisite pam_deny.so
auth  required pam_permit.so

Debian 8

IMPORTANT: Debian 8 reached end of life on June 30, 2020. Duo Unix 1.11.4 was the last release with Debian 8 support.

System-wide Authentication

/etc/pam.d/common-auth

Before:

auth  [success=1 default=ignore] pam_unix.so nullok_secure
auth  requisite pam_deny.so
auth  required pam_permit.so

After:

#auth  [success=1 default=ignore] pam_unix.so nullok_secure
auth  requisite pam_unix.so nullok_secure
auth  [success=1 default=ignore] pam_duo.so
auth  requisite pam_deny.so
auth  required pam_permit.so

SSH Public Key Authentication

/etc/pam.d/sshd

Before:

@include common-auth

After:

#@include common-auth
auth  [success=1 default=ignore] pam_duo.so
auth  requisite pam_deny.so
auth  required pam_permit.so

Debian 7

IMPORTANT: Debian 7 reached end of life on April 26, 2016. Duo Unix 1.11.1 was the last release with Debian 7 support.

Debian 6

IMPORTANT: Debian 6 reached end of life on May 31, 2015. Duo Unix 1.9.18 was the last release with Debian 6 support.

Amazon Linux

Note: Running authconfig after editing your PAM config files will overwrite your changes. Do not run authconfig once you edit your PAM files to add Duo.

If you must preserve your ability to run authconfig in the future, use the symbolic link method described in the "Keeping Custom Settings with authconfig" topic in section 4.1.2 of the Red Hat Security Guide.

System-wide Authentication

/etc/pam.d/system-auth

Before:

auth  required pam_env.so
auth  sufficient pam_unix.so nullok try_first_pass
auth  requisite pam_succeed_if.so uid >= 500 quiet
auth  required pam_deny.so

After:

auth  required pam_env.so
# auth  sufficient pam_unix.so nullok try_first_pass
auth  requisite pam_unix.so nullok try_first_pass
auth  sufficient pam_duo.so
auth  requisite pam_succeed_if.so uid >= 500 quiet
auth  required pam_deny.so

SSH Public Key Authentication

/etc/pam.d/sshd

Before:

auth  required pam_sepermit.so
auth  substack password-auth

After:

auth  required pam_sepermit.so
# auth  substack password-auth
auth  required pam_duo.so

FreeBSD

System-wide Authentication

/etc/pam.d/system

Before:

# auth
auth            sufficient      pam_opie.so             no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
# auth           sufficient      pam_krb5.so             no_warn try_first_pass
# auth           sufficient      pam_ssh.so              no_warn try_first_pass
auth            required        pam_unix.so             no_warn try_first_pass nullok

After:

# auth
auth            sufficient      pam_opie.so             no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
# auth           sufficient      pam_krb5.so             no_warn try_first_pass
# auth           sufficient      pam_ssh.so              no_warn try_first_pass
# auth           required        pam_unix.so             no_warn try_first_pass nullok
auth            requisite       pam_unix.so             no_warn try_first_pass nullok
auth            requisite       pam_duo.so

SSH Public Key Authentication

/etc/pam.d/sshd

Before:

# auth
auth            sufficient      pam_opie.so             no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
# auth           sufficient      pam_krb5.so             no_warn try_first_pass
# auth           sufficient      pam_ssh.so              no_warn try_first_pass
auth            required        pam_unix.so             no_warn try_first_pass

After:

# auth
auth            sufficient      pam_opie.so             no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
# auth           sufficient      pam_krb5.so             no_warn try_first_pass
# auth           sufficient      pam_ssh.so              no_warn try_first_pass
# auth           required        pam_unix.so             no_warn try_first_pass
auth            required        pam_duo.so

AIX 7

Edit /etc/security/login.cfg and change this line near the bottom of the file:

auth_type = STD_AUTH

to read:

auth_type = PAM_AUTH

/etc/pam.conf

Before:

# Authentication
#
authexec    auth    required        pam_aix
dtaction    auth    required        pam_aix
dtsession   auth    required        pam_aix
dtlogin     auth    required        pam_aix
ftp         auth    required        pam_aix
imap        auth    required        pam_aix
login       auth    required        pam_aix
rexec       auth    required        pam_aix
rlogin      auth    sufficient      pam_rhosts_auth
rlogin      auth    required        pam_aix
rsh         auth    required        pam_rhosts_auth
snapp       auth    required        pam_aix
su          auth    required        pam_aix
swrole      auth    required        pam_aix
telnet      auth    required        pam_aix
xdm         auth    required        pam_aix
sshd        auth    required        pam_aix
OTHER       auth    required        pam_prohibit

After (protecting both su and ssh with Duo):

# Authentication
#
authexec    auth    required        pam_aix
dtaction    auth    required        pam_aix
dtsession   auth    required        pam_aix
dtlogin     auth    required        pam_aix
ftp         auth    required        pam_aix
imap        auth    required        pam_aix
login       auth    required        pam_aix
rexec       auth    required        pam_aix
rlogin      auth    sufficient      pam_rhosts_auth
rlogin      auth    required        pam_aix
rsh         auth    required        pam_rhosts_auth
snapp       auth    required        pam_aix
su          auth    requisite       pam_aix
su          auth    required        /usr/lib/security/pam_duo.so
swrole      auth    required        pam_aix
telnet      auth    required        pam_aix
xdm         auth    required        pam_aix
sshd        auth    requisite       pam_aix
sshd        auth    required        /usr/lib/security/pam_duo.so
OTHER       auth    required        pam_prohibit

If sshd entries do not already exist in /etc/pam.conf then add them after all the other sections:

sshd    account     required    pam_aix
sshd    password    required    pam_aix
sshd    session     required    pam_aix

Test Your Setup

SSH into your system newly configured with pam_duo. If everything is set up correctly and your username doesn't exist in Duo, you'll be given an enrollment link:

Duo Unix Enrollment Prompt

Copy the enrollment link and paste it into a web browser to complete Duo's enrollment process.

After enrolling your authentication device with Duo (or if your test user was already enrolled in Duo) you'll receive the prompt for additional verification.

Duo Unix Authentication Prompt

Choose your authentication method and approve the request using your phone or other device.

Troubleshooting

Need some help? Take a look at the Duo UNIX Frequently Asked Questions (FAQ) page or try searching our Duo UNIX Knowledge Base articles or Community discussions. For further assistance, contact Support.

If you open a support case with Duo, be sure to use the Duo Unix Support Tool to create a tarball you can send to the support engineer to aid with troubleshooting.

Network Diagram

  1. SSH connection initiated
  2. Primary authentication
  3. Duo Unix connection established to Duo Security over TCP port 443
  4. Secondary authentication via Duo Security’s service
  5. Duo Unix receives authentication response
  6. SSH session logged in