Skip navigation
Documentation

Duo Unix - Two-Factor Authentication for SSH - FAQ

Duo can be easily added to any Unix system to protect remote (SSH) or local logins with the addition of a simple pam_duo PAM module or login_duo module. It has been tested on Linux (RedHat, Fedora, CentOS, Debian, Ubuntu, Amazon Linux), BSD (FreeBSD, NetBSD, OpenBSD), Solaris, HP-UX, and AIX. The code is open-source and available on GitHub.

Can I use login_duo to protect a shared root account?

Yes. You can use login_duo's -f flag to map a local user to a different Duo user. For example, your ~/.ssh/authorized_keys might look something like this:

command="/usr/sbin/login_duo -f user1" ssh-dss FRP...FD== user1@company
command="/usr/sbin/login_duo -f user2" ssh-dss YUX...IO== user2@company

Can I use login_duo with scp or other non-interactive sessions?

Yes. However, during non-interactive sessions such as scp, there is no opportunity to prompt the user to allow them to select an authentication factor. Instead, login_duo will challenge the user with their first available out-of-band factor (eg. Duo Push or phone callback). You can also use the accept_env_factor configuration option to specify a factor name.

How do I configure duo_unix to use a proxy?

Both login_duo and pam_duo (since duo_unix version 1.7) have support for the standard "http_proxy" environment variable (honored by wget, curl, etc.).

You can set this by adding the http_proxy variable to your login_duo.conf or pam_duo.conf file, in the following format:

http_proxy=http://username:password@proxy.example.org:8080

If you don't already have an HTTP proxy server you can configure the Duo Authentication Proxy as a proxy for Duo traffic.

I'm using PuTTY on Windows and the window closes before I can visit the enrollment link.

Change PuTTY's Close window on exit setting to Never (in the Category: Session section).

Can I use login_duo to protect non-root shared accounts, or can I do an install without root privileges?

Yes. First, build login_duo and make sure that it does not have setuid permissions.

$ ./configure && make
$ chmod u-s login_duo/login_duo

Copy the executable to somewhere safe, where only the shared account (and the system administrator) have read/write access, such as a private subdirectory of the user's home folder. You can then enable Duo two-factor for ssh logins using the authorized keys method described above, and the -c flag to specify the configuration file. However, anyone with write access to these files will be able to disable the two-factor authentication on the account. For example, your ~/.ssh/authorized_keys might look something like this:

command="/path/to/login_duo -c /path/to/login_duo.conf -f user1" ssh-dss FRP...FD== user1@company
command="/path/to/login_duo -c /path/to/login_duo.conf -f user2" ssh-dss YUX...ID== user2@company

Can I use pam_duo with SSH logins?

Yes, after installing and configuring pam_duo, set the following options in sshd_config:

UsePAM yes
ChallengeReponseAuthentication yes
UseDNS no

I found some Duo Unix packages on Ubuntu Launchpad, are those legitimate?

Like most repositories on Launchpad, these are community maintained. Any Duo Unix package on Launchpad is not affilited with Duo Security, may be out of date, and may be used at your own risk.

Why might I receive an error when running "./configure"?

If you get an error like this while configuring:

$ ./configure
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /bin/mkdir -p
checking for gawk... no
checking for mawk... mawk
checking whether make sets $(MAKE)... no
checking whether to enable maintainer-specific portions of Makefiles... no
checking build system type... Invalid configuration `i686-pc-linux-': machine `i686-pc-linux' not recognized
configure: error: /bin/bash autotools/config.sub i686-pc-linux- failed

Make sure you have a compiler (gcc) installed before continuing.

Why might I receive the error "error while loading shared libraries"?

If you get an error like this when trying to run login_duo:

$ login_duo echo Hello!
login_duo: error while loading shared libraries: libduo.so.1: cannot open shared object file: No such file or directory

Or if you see errors like these in your sshd logs when trying to set up pam_duo:

May 15 13:37:20 SRV01 sshd[10479]: PAM unable to dlopen(/lib64/security/pam_duo.so)
May 15 13:37:20 SRV01 sshd[10479]: PAM [error: libduo.so.3: cannot open shared object file: No such file or directory]
May 15 13:37:20 SRV01 sshd[10479]: PAM adding faulty module: /lib64/security/pam_duo.so

Running ldconfig as root should update your shared libraries cache and allow login_duo or pam_duo to function correctly:

# ldconfig

If that fails, ensure that you ran ./configure with --prefix=/usr.

Why might I receive the error "Invalid user response"?

If you're using pam_duo and get this error:

Jun 29 16:59:36 dev sshd[19628]: pam_duo(sshd:auth): conversation failed
Jun 29 16:59:36 dev sshd[19628]: Failed Duo login for username: Invalid user response

Make sure you have ChallengeResponseAuthentication set to yes in your sshd_config file.

What do I do if "accept_env_factor" does not work?

You need to make sure that the server accepts the environment variable, and that the client is sending it. On the client side, edit ~/.ssh/config to have a section like the following:

Host host_nickname
HostName server.host.name.or.ip.address
User myusername
SendEnv DUO_PASSCODE

On the server, edit sshd_config to add DUO_PASSCODE to the list of environment variables copied from the client to the server.

AcceptEnv DUO_PASSCODE

Then on the client, set DUO_PASSCODE and connect to the server.

$ env DUO_PASSCODE=123456 ssh host_nickname

Note that this option is only available for login_duo.

What do I do if "pam_duo" is not whitelisting IP addresses correctly?

Make sure that UseDNS is set to no in your sshd_config file.

Why might I receive the error "login_duo: symbol lookup error: login_duo: undefined symbol: duo_debug"?

This may indicate that there is an old copy of a Duo shared library on your system. Please locate and remove it with the following commands, and then re-install the Duo integration on your system.

$ ldd `which login_duo` | grep duo
libduo.so.3 => /usr/lib/i386-linux-gnu/libduo.so.3 (0xb778b000)
$ rm -f /usr/lib/i386-linux-gnu/libduo.so.3

After removing that file, please try re-installing your Duo Unix integration.

Additional Troubleshooting

Need more help? Try searching our Knowledge Base articles or Community discussions. For further assistance, contact Support.

Ready to Get Started?

Sign Up Free