Skip navigation
Documentation

Duo Unix - Two-Factor Authentication for SSH - FAQ

Last Updated: November 22nd, 2024

Duo can be easily added to any Unix system to protect remote (SSH) or local logins with the addition of a simple pam_duo PAM module. It has been tested on Linux (RedHat, Fedora, CentOS, Debian, Ubuntu, Amazon Linux), BSD (FreeBSD, NetBSD, OpenBSD), Solaris, and AIX. The code is open-source and available on GitHub.

Installation

Do I need to install gcc or the build prerequisites if I will be using packages?

No, if you will be installing Duo Unix using our Linux packages, there is no need to also install the build-from-source prerequisites or a compiler (like gcc) on the target systems.

Why might I receive an error when running "./configure"?

If you get an error like this while configuring:

$ ./configure
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /bin/mkdir -p
checking for gawk... no
checking for mawk... mawk
checking whether make sets $(MAKE)... no
checking whether to enable maintainer-specific portions of Makefiles... no
checking build system type... Invalid configuration `i686-pc-linux-': machine `i686-pc-linux' not recognized
configure: error: /bin/bash autotools/config.sub i686-pc-linux- failed

Make sure you have a C compiler (like gcc) installed before continuing.

I found some Duo Unix packages on Ubuntu Launchpad, are those legitimate?

Like most repositories on Launchpad, these are community maintained. Any Duo Unix package on Launchpad is not affiliated with Duo Security, may be out of date, and may be used at your own risk.

Configuration

How does Duo Unix protect su and sudo access?

Duo Unix will send a 2FA request after a user issues su or sudo and supplies a password. However, the exact 2FA behavior for su differs depending on if the command was issued with the login shell option:

UserA issues sudo Requires UserA's password 2FA request sent to UserA
UserA issues su Requires root's password 2FA request sent to UserA
UserA issues su -l, su -, or su --login Requires root's password 2FA request sent to UserA
UserA issues su -l UserB, su - UserB, or su --login UserB Requires UserB's password 2FA request sent to UserB (see note following table)
UserA issues sudo su Requires UserA's password 2FA request sent to UserA

Note: The su behavior between non-root users changed as of Duo Unix release 2.0.0. In Duo Unix v1.x releases, this usage scenario would have sent the 2FA request to UserA instead of UserB. There is no configuration option in Duo Unix v2.x that restores the v1.x behavior.

Can I use login_duo to protect a shared root account?

Yes. You can use login_duo's -f flag to map a local user to a different Duo user. For example, your ~/.ssh/authorized_keys might look something like this:

command="/usr/sbin/login_duo -f user1" ssh-dss FRP...FD== user1@company
command="/usr/sbin/login_duo -f user2" ssh-dss YUX...IO== user2@company

Can I use Duo Unix with scp or other non-interactive sessions?

Yes. However, during non-interactive sessions such as scp, there is no opportunity to prompt the user to allow them to select an authentication factor. Instead, Duo Unix sends a 2FA request to the user's first available out-of-band factor (eg. Duo Push or phone callback). If using login_duo, you can also use the accept_env_factor configuration option to specify a factor name.

See KB article 9087 for more information.

How do I configure duo_unix to use a proxy?

Both login_duo and pam_duo (since duo_unix version 1.7) allow you to specify the "http_proxy" configuration variable used to connect to Duo.

You can set this by adding the http_proxy variable to your login_duo.conf or pam_duo.conf file, in the following format:

http_proxy=http://username:password@proxy.example.org:8080

Leave out the username:password parameter if your upstream HTTP proxy doesn't require authentication.

If you don't already have an HTTP proxy server you can configure the Duo Authentication Proxy as a proxy for Duo traffic.

If your system is running with SELinux set to enforcing mode, you may find that Duo Unix is restricted to use of certain ports with an HTTP proxy. SELinux requires specific whitelisting of ports for applications. When you install Duo Unix with SELinux support (done automatically if you download via RPM) Duo Unix is allowed to use all ports listed in the http_port_t and http_cache_port_t types. If you need to use a port not in those lists by default then you will need to add that port to the cache port list with semanage.

View the ports in the http_port_t and http_cache_port_t lists:

$ semanage port -l | grep http_cache_port_t
http_cache_port_t tcp 3128, 8080, 8118
http_cache_port_t udp 3130
$ semanage port -l | grep http_port_t
http_port_t tcp 80, 443, 488, 8008, 8009, 8443

Add a port to the cache list:

$ semanage port -a -t http_cache_port_t -p tcp 8888

Can I use login_duo to protect non-root shared accounts, or can I do an install without root privileges?

Yes. First, build login_duo and make sure that it does not have setuid permissions.

$ ./configure && make
$ chmod u-s login_duo/login_duo

Copy the executable to somewhere safe, where only the shared account (and the system administrator) have read/write access, such as a private subdirectory of the user's home folder. You can then enable Duo two-factor for ssh logins using the authorized keys method described above, and the -c flag to specify the configuration file. However, anyone with write access to these files will be able to disable the two-factor authentication on the account. For example, your ~/.ssh/authorized_keys might look something like this:

command="/path/to/login_duo -c /path/to/login_duo.conf -f user1" ssh-dss FRP...FD== user1@company
command="/path/to/login_duo -c /path/to/login_duo.conf -f user2" ssh-dss YUX...ID== user2@company

Can I use pam_duo with SSH logins?

Yes, after installing and configuring pam_duo, set the following options in sshd_config:

UsePAM yes
ChallengeResponseAuthentication yes
UseDNS no

Or:

UsePAM yes
KbdInteractiveAuthentication yes
UseDNS no

Whether you specify KbdInteractiveAuthentication or ChallengeResponseAuthentication depends on which option is already present in your sshd_config file. If both are present the first one set in the file takes effect.

Can I use Duo Unix with Kerberos Authentication?

Yes. Learn more in our Guide to Protecting Unix Logins with Kerberos and Duo.

Troubleshooting

How do I use the Support Tool?

If you open a case with Duo Support for an issue involving Duo Unix, your support engineer will need you to submit your PAM/sshd configuration, recent debug log output demonstrating the issue, and other system configurations. Sensitive information, such as your Duo application's SKEY, should not be sent to support.

We've made collecting troubleshooting information easy with a script that gathers all the necessary files, scrubs them sensitive information, and creates a tarball ready for you to send to your Duo support engineer. The script is included in version 1.11.4 and later and the default location is /usr/sbin/duo_unix_support.sh.

The support tool performs the following actions:

  1. Gathers information about your system and the Duo Unix configuration:

    • System logs: depending on the OS this could include /var/log/secure, /var/log/messages, /var/log/auth.log, /var/log/syslog, etc.
    • Configuration files from /etc e.g. /etc/duo/login_duo.conf, /etc/duo/pam_duo.conf, /etc/pam.conf, /etc/ssh/sshd_config, /etc/security/login.cfg, etc.
    • PAM configuration files from /etc/pam.d such as /etc/pam.d/sshd, /etc/pam.d/passwd, /etc/pam.d/common-auth, /etc/pam.d/system-auth, etc.
    • SELinux information like sebools, semodules, sestatus, and policies that use TCP sockets.
    • Version information for your operating system, kernel, OpenSSL, OpenSSH, Duo Unix install, and compilers.
  2. Scrubs sensitive information like secret keys from the config file.

  3. Creates a tarball that contains the gathered information as /etc/duo/duo_unix_support.tar.gz which you can email to Duo Support.

To run the Duo Unix support tool:

  1. SSH to the system where you installed Duo Unix.

  2. Run this command to launch the tool (run without sudo if logged in as root):

    cd /usr/sbin
    sudo chmod +x ./duo_unix_support.sh
    sudo ./duo_unix_support.sh
    

I'm using PuTTY on Windows and the window closes before I can visit the enrollment link.

Change PuTTY's Close window on exit setting to Never (in the Category: Session section).

Why might I receive the error "error while loading shared libraries"?

If you get an error like this when trying to run login_duo:

$ login_duo echo Hello!
login_duo: error while loading shared libraries: libduo.so.1: cannot open shared object file: No such file or directory

Or if you see errors like these in your sshd logs when trying to set up pam_duo:

May 15 13:37:20 SRV01 sshd[10479]: PAM unable to dlopen(/lib64/security/pam_duo.so)
May 15 13:37:20 SRV01 sshd[10479]: PAM [error: libduo.so.3: cannot open shared object file: No such file or directory]
May 15 13:37:20 SRV01 sshd[10479]: PAM adding faulty module: /lib64/security/pam_duo.so

Running ldconfig as root should update your shared libraries cache and allow login_duo or pam_duo to function correctly:

# ldconfig

If that fails, ensure that you ran ./configure with --prefix=/usr.

Why might I receive the error "Invalid user response"?

If you're using pam_duo and get this error:

Jun 29 16:59:36 dev sshd[19628]: pam_duo(sshd:auth): conversation failed
Jun 29 16:59:36 dev sshd[19628]: Failed Duo login for username: Invalid user response

Make sure you have ChallengeResponseAuthentication set to yes in your sshd_config file.

What do I do if "accept_env_factor" does not work?

You need to make sure that the server accepts the environment variable, and that the client is sending it. On the client side, edit ~/.ssh/config to have a section like the following:

Host host_nickname
HostName server.host.name.or.ip.address
User myusername
SendEnv DUO_PASSCODE

On the server, edit sshd_config to add DUO_PASSCODE to the list of environment variables copied from the client to the server.

AcceptEnv DUO_PASSCODE

Then on the client, set DUO_PASSCODE and connect to the server.

$ env DUO_PASSCODE=123456 ssh host_nickname

Note that this option is only available for login_duo.

What do I do if "pam_duo" is not bypassing IP addresses correctly?

Make sure that UseDNS is set to no in your sshd_config file.

Why might I receive the error "login_duo: symbol lookup error: login_duo: undefined symbol: duo_debug"?

This may indicate that there is an old copy of a Duo shared library on your system. Please locate and remove it with the following commands, and then re-install the Duo integration on your system.

$ ldd `which login_duo` | grep duo
libduo.so.3 => /usr/lib/i386-linux-gnu/libduo.so.3 (0xb778b000)
$ rm -f /usr/lib/i386-linux-gnu/libduo.so.3

After removing that file, please try re-installing your Duo Unix integration.

Additional Troubleshooting

Need more help? Try searching our Duo UNIX Knowledge Base articles or Community discussions. For further assistance, contact Support.