Skip navigation
Documentation

Duo Unix - Two-Factor Authentication for SSH - Release Notes

Last Updated: October 25th, 2022

Duo can be easily added to any Unix system to protect remote (SSH) or local logins with the addition of a simple pam_duo PAM module. It has been tested on Linux (RedHat, Fedora, CentOS, Debian, Ubuntu, Amazon Linux), BSD (FreeBSD, NetBSD, OpenBSD), Solaris, and AIX. The code is open-source and available on GitHub.

Download the current release from the Checksums and Downloads page.

duo_unix-2.0.0 - October 25, 2022

  • Updated su behavior so that when UserA attempts su to UserB then UserB will receive the Duo 2FA request. In previous releases UserA would have received the 2FA request. This behavior is not configurable. See the Duo Unix FAQ for details.
  • login_duo now resets the SIGPIPE handler when it closes its connection.
  • Added logging when Duo is invoked to assist troubleshooting.
  • Updated package signing to SHA512.

duo_unix-1.12.1 - June 2, 2022

  • Added package support for Fedora 34, Red Hat 9, CentOS Stream 8, CentOS Stream 9, and Ubuntu 22.04.
  • CentOS 8 and Ubuntu 14.04 and 16.04 no longer supported.
  • Updated GPG public key for downloading distribution packages; now SHA512 instead of SHA1.

duo_unix-1.12.0 - February 2, 2022

  • Duo Unix now uses JSON rather than BSON.
  • CentOS 8 and Ubuntu 14.04 and 16.04 support is deprecated and will be removed in the next release.

duo_unix-1.11.5 - November 30, 2021

  • Added support for Debian 11.
  • Debian 8 and CentOS 6 no longer supported.
  • Fixed MOTD display for non-interactive sessions.
  • The support tool now also collects the sudo PAM configuration file.
  • Updated pinned certificates.

duo_unix-1.11.4 - May 18, 2020

  • Added support for Ubuntu 20.04.
  • Added support tool to collect information (e.g. logs and PAM stacks) you can send to Duo Support when troubleshooting issues.
  • Ubuntu 12.04 no longer supported.
  • Debian 8 and CentOS 6 support is deprecated and will be removed in the next release.
  • Updated GPG public key for downloading distribution packages.

duo_unix-1.11.3 - October 2019

  • Support for CentOS 8, Red Hat 8, and Debian 10.
  • Improved validation of BSON messages.
  • Updated GPG public key for downloading distribution packages.
  • Ubuntu 12.04 support is deprecated and will be removed in the next release.

duo_unix-1.11.2 - June 2019

  • Published a guide to recommended Kerberos configuration for Duo Unix. Thanks to Neal Poole at Facebook for bringing expertise and attention to this topic.
  • Updated SELinux policy to allow local logins to use the pam_duo PAM module and made sshd configurable. This requires installation of selinux-policy-devel on CentOS and RHEL 7 as a prerequisite.
  • Added support for spaces in group names when escaped with backslashes in pam_duo.conf and login_duo.conf
  • Debian 7 no longer supported.

duo_unix-1.11.1 - November 2018

  • Fixed bug causing console login to fail on certain systems.
  • Debian 7 support is deprecated and will be removed in the next release.

duo_unix-1.11.0 - October 2018

  • Added configuration options for parsing the Duo username out of the GECOS field: gecos_username_pos and gecos_delim.
  • Support for Debian 9 (Stretch).
  • CentOS 5 no longer supported.

duo_unix-1.10.5 - September 2018

  • CentOS 5 support is deprecated and will be removed in the next release.
  • Fixed a bug that caused a segfault on systems where the hostname wasn't retrievable.

duo_unix-1.10.4 - August 2018

  • CentOS 5 support is deprecated and will be removed in a future release.
  • Support for TLS 1.2.
  • Support for LibreSSL 2.7.0 and up.
  • Support for Ubuntu 18.04 (Bionic Beaver).
  • Minor memory leak fixes.
  • Output a message during authentication when a user is locked out.
  • FIPS-compliant when run on a system with FIPS enabled system-wide.
  • Sends the hostname to Duo's service so that it appears in the authentication logs.

Note that releases between 1.10.1. and 1.10.4 contained no code changes.

duo_unix-1.10.1 - August 2017

  • Fixed bug causing automated tests to fail on OSX.
  • Addressed an issue which kept configuration secrets in memory for longer than necessary.

duo_unix-1.10.0 - June 2017

  • Added LibreSSL support.
  • Added additional GECOS parsing support.
  • Increased OSX group count.

duo_unix-1.9.21 - May 2017

  • Only allow http_proxy to be defined in configuration file instead of environment. PSA-2017-002

duo_unix-1.9.20 - May 2017

  • Fix installation on AIX systems.
  • Add support for using OpenSSL 1.1.0.
  • Link libduo statically to address issues with the ldconfig cache and incompatibilities between versions.
  • Fixed a bug that produced incorrect SNI when using a proxy.

duo_unix-1.9.19 - August 2016

  • Restore the http_proxy environment variable after Duo is done.
  • Added https_timeout config option to pam_duo.
  • Handles missing shell and adds default if not specified in getpwuid.
  • Add SNI support and a guard for systems that don't support SNI.
  • Bug fixes for timeouts and fallback ip addresses.
  • Debian 6 no longer supported.

duo_unix-1.9.18 - January 2016

  • Added HTTP proxy connection error handling.
  • Improved compatibility with Solaris and AIX.
  • Debian 6 support is deprecated and will be removed in the next release.

duo_unix-1.9.17 - October 2015

  • Fixed PAM return code issue.

duo_unix-1.9.16 - October 2015

  • Test fixes.
  • Compilation fixes.

duo_unix-1.9.15 - September 2015

  • SELinux policy module package support.
  • PAM module improvements.
  • Removed deprecated SHA1 Entrust CA.

duo_unix-1.9.14 - January 2015

  • Added SELinux policy module.
  • Improve poll(2) error handling.

duo_unix-1.9.13 - October 2014

  • Bugfixes for signal handling.

duo_unix-1.9.12 - September 2014

  • Include https_timeout configuration parameter.
  • IPv6 support on systems that have getaddrinfo.

duo_unix-1.9.11 - April 2014

  • Improve compatibility with FreeBSD 10.

duo_unix-1.9.10 - April 2014

  • Use the correct timeout when polling.

duo_unix-1.9.9 - April 2014

  • Use poll(2) instead of select(2) for timeouts to support busy systems with many open file descriptors.
  • Send User-Agent header with each request.

duo_unix-1.9.8 - April 2014

  • Improve support for SHA2 in HTTPS.

duo_unix-1.9.7 - January 2014

  • Allow using accept_env_factor with SSH.
  • Allow using autopush with PAM on Mac OS X.

See the CHANGES file on GitHub for extended version history.