Note: This upgrade is unrelated to the recent OpenSSL Heartbleed vulnerability
Occasionally we notify customers to upgrade their installed software to fix issues and add new functionality. In this particular case, failing to upgrade by June 30, 2014 will cause your protected services for the applications listed below to become unavailable (note that only certain versions are impacted):
Application software not listed above does not need to be upgraded at this time (e.g. Microsoft Windows Credential Provider and Microsoft ADFS).
Read on for additional information as to why this upgrade is mandatory and for step-by-step upgrade instructions for each of the impacted applications.
Every application communicates with Duo’s service over SSL. Several applications add an additional layer of protection to SSL by implementing Certificate Authority (CA) pinning. Due to changes in agreements between certificate authorities and evolving best practices in the industry, Duo is updating our list of trusted certificates.
Our old list will no longer be supported by certificate authorities in July 2014. The new list also contains stronger certificates for increased resilience against attack.
The applications listed above will no longer be able to perform authentication or connect to Duo’s service after June 30, 2014.
Listed below are step-by-step upgrade instructions to verify your current software version and to execute the upgrade
The current version number is logged to the authproxy.log file when the process starts. It looks like the following:
2014-04-01 01:02:03-0400 [-] Duo Security Authentication Proxy 2.3.3 - Init Complete
If the version number is below 2.3.3 or if no Authentication Proxy version number is present in the log please upgrade to the latest release available here:
The Authentication Proxy installers will preserve your current configuration and log files when upgrading to the latest release. If you would like to make a backup copy before running the upgrade the relevant directories are:
net start duoauthproxy
Download the Authentication Proxy 2.4.2 release for Unix from https://dl.duosecurity.com/duoauthproxy-latest-src.tgz. Note that the actual filename will reflect the version e.g. duoauthproxy-2.4.2-src.tgz.
Extract the Authentication Proxy files
tar xzf duoauthproxy-2.4.2-src.tgz
and change directory to the extracted source
Set the PYTHON environment variable to the command used to run python i.e. python, python26, etc.
make to build the Authentication Proxy installer.
Change directory to the newly built installer
and run the installer
Follow the installation prompts. The conf and log folders from your current installation are retained.
Start the new Authentication Proxy service
Duo Unix defaults to failmode safe, allowing login if Duo's servers cannot be reached. If you configured it otherwise (secure) and cannot access your machine to perform the upgrade, please attempt to access in single-user mode or with physical root access to upgrade the Duo Unix integration.
Run this command:
$ login_duo -v
If the version number is 1.9.5 or below (or if running the above command produces the error shown below) please upgrade to the latest version by following the instructions below.
login_duo: invalid option -- 'v'
If instead you encountered an error such as:
"login_duo: symbol lookup error: login_duo: undefined symbol: duo_debug", please follow these instructions from our troubleshooting guide, and then proceed to follow the upgrade steps below.
Download the latest version of Duo Unix, available here: https://dl.duosecurity.com/duo_unix-latest.tar.gz.
Build and install with the following commands (please note that you’ll need to use the same —prefix as when Duo Unix was originally configured if different than /usr):
$ tar zxf duo_unix-1.9.18.tar.gz $ cd duo_unix-1.9.18 $ ./configure --prefix=/usr && make && sudo make install
Your existing login_duo.conf and pam_duo.conf will not be overwritten.
Backup login_duo.conf and/or pam_duo.conf with:
$ cp /etc/duo/login_duo.conf ~/login_duo.conf.bak $ cp /etc/duo/pam_duo.conf ~/pam_duo.conf.bak
Remove the old package through the package manager for your system, for example:
On Ubuntu or Debian-based distros:
$ apt-get remove login-duo
On CentOS or RedHat-based distros:
$ yum remove login-duo
Add the Duo repo and execute the commands from the list here: /docs/duounix#linux-distribution-packages
Move your backed-up configuration files back into place:
$ mv ~/login_duo.conf.bak /etc/duo/login_duo.conf $ mv ~/pam_duo.conf.bak /etc/duo/pam_duo.conf
Run the update commands appropriate to your distribution (i.e. apt-get, yum)
Run this command:
grep -q DigiCert /opt/duo/ca_certs.pem && echo 'Up to date.' || echo 'An upgrade is needed.'
Create a backup copy of the /opt/duo directory and contents.
Download the newest version of the OpenVPN integration at https://github.com/duosecurity/duo_openvpn/tarball/master and extract. Note that the new version of the duo_openvpn.py script contains the text version = '2.1'.
Change directory to the one containing the extracted Duo integration files and build the plugin
make && sudo make install
The new Duo plugin is installed over the existing version in /opt/duo. 4. Restart the OpenVPN service
~~~~~ sudo service openvpn restart ~~~~~
Run this command:
/usr/local/openvpn_as/scripts/sacli ConfigQuery | grep -q DigiCert && echo 'Up to date.' || echo 'An upgrade is needed.'
IKEY = '<DUO INTEGRATION KEY HERE>' SKEY = '<DUO SECRET KEY HERE>' HOST = '<DUO API HOSTNAME HERE>'
cp duo_openvpn_as.py /usr/local/openvpn_as/scripts/
chmod a+x /usr/local/openvpn_as/scripts/duo_openvpn_as.py
/usr/local/openvpn_as/scripts/sacli -a *your_admin_username* -k auth.module.post_auth_script ConfigDel
/usr/local/openvpn_as/scripts/sacli -a *your_admin_username* -k auth.module.post_auth_script --value_file /usr/local/openvpn_as/scripts/duo_openvpn_as.py ConfigPut
/usr/local/openvpn_as/scripts/sacli -a admin_username Reset
For a single site WordPress installation, log in to the Site Admin console and click the Plugins link on the left-side menu. Your installed plugins are listed. Look at the Duo Two-Factor Authentication plugin in the list. The version of the plugin is listed in the description.
For a WordPress Multisite installation, log in to the Network Admin dashboard and click the Plugins link. Your installed plugins are listed. Look at the Duo Two-Factor Authentication plugin in the list. The version of the plugin is listed in the description.
Versions 2.2 or below of the WordPress application need to be updated.
When viewing the Duo Two-Factor Authentication plugin in the list on your site’s or network’s Plugins page, there will be a notification stating, "There is a new version of Duo Two-Factor Authentication available." Next to the notification there is an "update now" link. When you click the update link, WordPress will download the new version of the Duo plugin and install it into your site or network. When the installation is complete the new version of the plugin will be reactivated.
Return to the Plugins page, and look at the Duo Two-Factor Authentication plugin in the list again. The plugin version is updated to 2.3 or later.
Almost all of our customers are using Duo Unix instead of Native OpenSSH. If you think you might be using Native OpenSSH, read this section.
Almost all SSH integrations use either the
login_duo command or the pam_duo module to add Duo authentication. There is an alternate integration in which the Duo library is added to the SSH daemon itself using a patch for OpenSSH supplied by Duo. If you compiled Duo Unix please refer to the above instructions to upgrade. If you patched your SSH daemon you should pull the latest version of libduo from github and recompiled sshd.
You are using Duo Unix if the login_duo command appears in your sshd_config or your users' authorized_keys files or if the string
pam_duo appears in /etc/pam.d. You can check for pam_duo by running the command
grep pam_duo /etc/pam.d/*
You are using the native SSH integration if the string libduo appears in your sshd binary. You can check for this by running the command
grep libduo /path/to/sshd
Note: It is possible to have both Duo Unix and the native SSH integration installed on the same server.
The CA certificate list is compiled into libduo. You can check for the presence of the new certificates that shipped with version 2.1.0 and higher with grep.
grep 'H2sMNgcWfzd8qVttevESRmCD1ycEvkvOl77DZypoEd+A5wwzZr8TDRRu838fYxAe' /path/to/sshd
If the output is "Binary file /path/to/sshd matches" then the new certificates are present. If not, you will need to re-compile libduo.
The CA certificate list is compiled into libduo. To update it:
Duo Web and Duo Web SDK do not need to be updated at this time!
The Duo-provided code in Java, Ruby, Perl, and C# is not affected. If you implemented your own code for connecting to the Duo service and did not do CA pinning, you are also not affected.
If you installed duo_client_python from github as a library, the following will print out the version number:
python -c 'import duo_client ; print getattr(duo_client, "__version__")'
If this version number is 2.0, then please upgrade to the latest version from github. If you are using an earlier version or if the version number is "None" then the library API has changed. You will need to either port your code to the new version or copy in the new ca_certs.pem from https://github.com/duosecurity/duo_client_python/blob/master/duo_client/ca_certs.pem
If you're using the Duo-supplied Python code for calling Duo APIs (available at https://github.com/duosecurity/duo_client_python), please upgrade to version 2.1 or higher.
Depending on how you installed the example code or imported it into your product, you may also be able to copy the current ca_certs.pem file found at https://github.com/duosecurity/duo_client_python/blob/master/duo_client/ca_certs.pem into an older version.
Duo uses CA pinning to harden our integrations against attackers who may try to intercept communications between your applications and our service. "Pinning" means these integrations come with a minimal, built-in list of root certificate authorities who are the only CAs that will ever issue a SSL certificate to Duo. This significantly reduces the possibility of an attacker obtaining a fraudulent certificate to intercept communications.
No. Duo never provided any application software that included versions of OpenSSL vulnerable to the Heartbleed Bug. However, if your operating system or other software includes a copy of OpenSSL, we recommend you ensure it is up-to-date.
Duo’s cloud service was fully patched and protected against Heartbleed within hours of the vulnerability being publicly disclosed.