Skip navigation

Effective October 28, 2019 Duo Security will be transitioning to Cisco's Privacy Statement. View the Duo Privacy Data Sheet.

Documentation

June 2014 Application Software Upgrade

Last Updated: April 3rd, 2019

Contents

We have switched over our certificates. If you are experiencing connectivity issues to Duo's servers and/or are failing to authenticate with two-factor, please confirm that all Duo applications in use are above the minimum affected version. More details about the required upgrades and steps to remediate can be located in the instructions below.

Note: This upgrade is unrelated to the recent OpenSSL Heartbleed vulnerability

Overview

Occasionally we notify customers to upgrade their installed software to fix issues and add new functionality. In this particular case, failing to upgrade by June 30, 2014 will cause your protected services for the applications listed below to become unavailable (note that only certain versions are impacted):

  • Duo Authentication Proxy: Version 2.3.2 or below. This proxy is used by the following application types:
    • Generic RADIUS proxy
    • Generic LDAP proxy
    • Array SSL VPN
    • Barracuda SSL VPN
    • Cisco ASA IPSec VPN (If configured using the Duo Authentication Proxy)
    • Cisco ASA SSL VPN (If configured using the Duo Authentication Proxy)
    • Citrix Access Gateway
    • Citrix NetScaler
    • F5 BIG-IP APM
    • F5 FirePass SSL VPN
    • Fortinet FortiGate SSL VPN
    • Microsoft Active Directory Synchronization
    • Microsoft RRAS
    • Microsoft TMG
    • Microsoft UAG
    • Netmotion Mobility XE
    • Palo Alto SSL VPN
    • SonicWALL SRA SSL VPN
    • VMWare View
    • Juniper UAC
    • Juniper SSL VPN (If configured using the Duo Authentication Proxy)
  • Duo Unix: Versions 1.9.5 or below
  • Duo OpenVPN: Version 2.0 or below
  • Duo OpenVPN Access Server (AS): Version 2.0 or below
  • Duo OpenSSH: Native integration version 2.0 or below
  • Duo WordPress Plugin: Version 2.2 or below
  • Duo Auth API, Verify API, Admin API, and Accounts API: Only customers using Version 2.0 (or below) of the Duo-supplied Python code or C code to call Duo APIs are impacted.

Application software not listed above does not need to be upgraded at this time (e.g. Microsoft Windows Credential Provider and Microsoft ADFS).

Read on for additional information as to why this upgrade is mandatory and for step-by-step upgrade instructions for each of the impacted applications.

Why do we need to upgrade our application software?

Every application communicates with Duo’s service over SSL. Several applications add an additional layer of protection to SSL by implementing Certificate Authority (CA) pinning. Due to changes in agreements between certificate authorities and evolving best practices in the industry, Duo is updating our list of trusted certificates.

Our old list will no longer be supported by certificate authorities in July 2014. The new list also contains stronger certificates for increased resilience against attack.

What will happen if I don't upgrade?

The applications listed above will no longer be able to perform authentication or connect to Duo’s service after June 30, 2014.

I am ready to get started! What do I do?

Listed below are step-by-step upgrade instructions to verify your current software version and to execute the upgrade

Duo Authentication Proxy

How can I verify what version of Duo Authentication Proxy I am running?

The current version number is logged to the authproxy.log file when the process starts. It looks like the following:

2014-04-01 01:02:03-0400 [-] Duo Security Authentication Proxy 2.3.3 - Init Complete

If the version number is below 2.3.3 or if no Authentication Proxy version number is present in the log please upgrade to the latest release available here:

What will happen to my running Authentication Proxy configuration?

The Authentication Proxy installers will preserve your current configuration and log files when upgrading to the latest release. If you would like to make a backup copy before running the upgrade the relevant directories are:

OS Path
Windows 64-bit C:\Program Files (x86)\Duo Security Authentication Proxy\log
-and-
C:\Program Files (x86)\Duo Security Authentication Proxy\conf
Windows 32-bit C:\Program Files\Duo Security Authentication Proxy\log
-and-
C:\Program Files\Duo Security Authentication Proxy\conf
Linux /opt/duoauthproxy/conf
-and-
/opt/duoauthproxy/log

How do I upgrade my Windows-based Duo Authentication Proxy?

  1. Download the Authentication Proxy version 2.4.2 release for Windows from https://dl.duosecurity.com/duoauthproxy-latest.exe.
  2. Launch the Authentication Proxy installer (close the Event Viewer first if you have it open) and follow the prompts. The existing Authentication Proxy software is removed and the latest version is installed. The conf and log folders from your current installation are retained.
  3. Start the Authentication Proxy service. From an administrator command prompt run
net start duoauthproxy

How do I upgrade my Unix-based Duo Authentication Proxy?

  1. Download the Authentication Proxy 2.4.2 release for Unix from https://dl.duosecurity.com/duoauthproxy-latest-src.tgz. Note that the actual filename will reflect the version e.g. duoauthproxy-2.4.2-src.tgz.
  2. Extract the Authentication Proxy files

    tar xzf duoauthproxy-2.4.2-src.tgz
    

    and change directory to the extracted source

    cd duoauthproxy-2.4.2-src.tgz
    
  3. Set the PYTHON environment variable to the command used to run python i.e. python, python26, etc.

    export PYTHON=python
    
  4. Run make to build the Authentication Proxy installer.
  5. Change directory to the newly built installer

    cd duoauthproxy-build
    

    and run the installer

    ./install
    
  6. Follow the installation prompts. The conf and log folders from your current installation are retained.
  7. Start the new Authentication Proxy service

    /opt/duoauthproxy/bin/authproxyctl start
    

Duo Unix

Duo Unix defaults to failmode safe, allowing login if Duo's servers cannot be reached. If you configured it otherwise (secure) and cannot access your machine to perform the upgrade, please attempt to access in single-user mode or with physical root access to upgrade the Duo Unix integration.

How can I verify what version of Duo Unix I am running ?

  1. Run this command:

    $ login_duo -v
    
  2. If the version number is 1.9.5 or below (or if running the above command produces the error shown below) please upgrade to the latest version by following the instructions below.

    login_duo: invalid option -- 'v'
    

If instead you encountered an error such as: “login_duo: symbol lookup error: login_duo: undefined symbol: duo_debug”, please follow these instructions from our troubleshooting guide, and then proceed to follow the upgrade steps below.

How do I upgrade my Duo Unix installation...

...if I compiled it myself?

Download the latest version of Duo Unix, available here: https://dl.duosecurity.com/duo_unix-latest.tar.gz.

Build and install with the following commands (please note that you’ll need to use the same —prefix as when Duo Unix was originally configured if different than /usr):

$ tar zxf duo_unix-1.9.18.tar.gz
$ cd duo_unix-1.9.18
$ ./configure --prefix=/usr && make && sudo make install

Your existing login_duo.conf and pam_duo.conf will not be overwritten.

...if I downloaded it from a non-Duo repo?

Backup login_duo.conf and/or pam_duo.conf with:

$ cp /etc/duo/login_duo.conf ~/login_duo.conf.bak
$ cp /etc/duo/pam_duo.conf ~/pam_duo.conf.bak

Remove the old package through the package manager for your system, for example:

On Ubuntu or Debian-based distros:

$ apt-get remove login-duo

On CentOS or RedHat-based distros:

$ yum remove login-duo

Add the Duo repo and execute the commands from the list here: /docs/duounix#linux-distribution-packages

Move your backed-up configuration files back into place:

$ mv ~/login_duo.conf.bak /etc/duo/login_duo.conf  
$ mv ~/pam_duo.conf.bak /etc/duo/pam_duo.conf

...if I downloaded it from the Duo repo?

Run the update commands appropriate to your distribution (i.e. apt-get, yum)

Duo OpenVPN

How can I tell if I need to upgrade my OpenVPN installation?

Run this command:

grep -q DigiCert /opt/duo/ca_certs.pem && echo 'Up to date.' || echo 'An upgrade is needed.'

How do I update OpenVPN?

  1. Create a backup copy of the /opt/duo directory and contents.
  2. Download the newest version of the OpenVPN integration at https://github.com/duosecurity/duo_openvpn/tarball/master and extract. Note that the new version of the duo_openvpn.py script contains the text version = '2.1'.
  3. Change directory to the one containing the extracted Duo integration files and build the plugin

    make && sudo make install
    

    The new Duo plugin is installed over the existing version in /opt/duo.

  4. Restart the OpenVPN service

    sudo service openvpn restart
    

Duo OpenVPN AS

How can I tell if I need to upgrade my OpenVPN AS installation?

Run this command:

/usr/local/openvpn_as/scripts/sacli ConfigQuery  | grep -q DigiCert && echo 'Up to date.' || echo 'An upgrade is needed.'

How do I update OpenVPN AS?

  1. Back up your current /usr/local/openvpn_as/scripts/duo_openvpn_as.py file
  2. Download the newest version of the OpenVPN AS integration at https://github.com/duosecurity/duo_openvpn_as/tarball/master and extract. Note that the new version of the py script contains the text version = '2.1' .
  3. Edit the freshly downloaded and extracted duo_openvpn_as.py script to add the IKEY, SKEY, and HOST for your OpenVPN AS application where prompted. Fill in your application credentials on the following three lines:
IKEY = '<DUO INTEGRATION KEY HERE>'  
SKEY = '<DUO SECRET KEY HERE>'  
HOST = '<DUO API HOSTNAME HERE>'  
  1. Copy the edited python script to the open vpn scripts directory
cp duo_openvpn_as.py /usr/local/openvpn_as/scripts/
  1. Fix the perms on the copied script:
chmod a+x /usr/local/openvpn_as/scripts/duo_openvpn_as.py
  1. Delete the currently running post auth script config
/usr/local/openvpn_as/scripts/sacli -a *your_admin_username* -k auth.module.post_auth_script ConfigDel
  1. Add the new version of the Duo script to the postauth config
/usr/local/openvpn_as/scripts/sacli -a *your_admin_username* -k auth.module.post_auth_script --value_file /usr/local/openvpn_as/scripts/duo_openvpn_as.py ConfigPut
  1. Restart the OpenVPN server
/usr/local/openvpn_as/scripts/sacli -a admin_username Reset

WordPress

How can I tell if I need to upgrade my WordPress installation?

For a single site WordPress installation, log in to the Site Admin console and click the Plugins link on the left-side menu. Your installed plugins are listed. Look at the Duo Two-Factor Authentication plugin in the list. The version of the plugin is listed in the description.

For a WordPress Multisite installation, log in to the Network Admin dashboard and click the Plugins link. Your installed plugins are listed. Look at the Duo Two-Factor Authentication plugin in the list. The version of the plugin is listed in the description.

Versions 2.2 or below of the WordPress application need to be updated.

How do I update WordPress?

When viewing the Duo Two-Factor Authentication plugin in the list on your site’s or network’s Plugins page, there will be a notification stating, “There is a new version of Duo Two-Factor Authentication available.” Next to the notification there is an “update now” link. When you click the update link, WordPress will download the new version of the Duo plugin and install it into your site or network. When the installation is complete the new version of the plugin will be reactivated.

Return to the Plugins page, and look at the Duo Two-Factor Authentication plugin in the list again. The plugin version is updated to 2.3 or later.

Native OpenSSH

How can I determine if I am using Duo Unix or Native OpenSSH?

Almost all of our customers are using Duo Unix instead of Native OpenSSH. If you think you might be using Native OpenSSH, read this section.

Almost all SSH integrations use either the login_duo command or the pam_duo module to add Duo authentication. There is an alternate integration in which the Duo library is added to the SSH daemon itself using a patch for OpenSSH supplied by Duo. If you compiled Duo Unix please refer to the above instructions to upgrade. If you patched your SSH daemon you should pull the latest version of libduo from github and recompiled sshd.

You are using Duo Unix if the login_duo command appears in your sshd_config or your users' authorized_keys files or if the string pam_duo appears in /etc/pam.d. You can check for pam_duo by running the command

grep pam_duo /etc/pam.d/*

You are using the native SSH integration if the string libduo appears in your sshd binary. You can check for this by running the command

grep libduo /path/to/sshd

Note: It is possible to have both Duo Unix and the native SSH integration installed on the same server.

How can I tell if I need to upgrade Native OpenSSH (not Duo Unix)?

The CA certificate list is compiled into libduo. You can check for the presence of the new certificates that shipped with version 2.1.0 and higher with grep.

grep 'H2sMNgcWfzd8qVttevESRmCD1ycEvkvOl77DZypoEd+A5wwzZr8TDRRu838fYxAe' /path/to/sshd

If the output is "Binary file /path/to/sshd matches" then the new certificates are present. If not, you will need to re-compile libduo.

How do I upgrade Native OpenSSH?

The CA certificate list is compiled into libduo. To update it:

  1. Check out or pull the latest version of libduo from github: https://github.com/duosecurity/libduo
  2. Recompile libduo using the instructions found here: /docs/nativessh.
  3. If you have an existing copy of the compiled sources, please run make clean first to ensure any binaries using the old version of libduo are replaced.
  4. Recompile and re-install sshd using the instructions found here: /docs/nativessh. Be sure to use the same configuration (ikey, skey, host, fail open, and proxy if any) that were used when sshd was previously compiled. We do not recommend reusing the same openssh source directory you used to build openssh with an older version of libduo, as reversing previously applied patches from the source can be problematic.

Duo APIs

Note:

Duo Web and Duo Web SDK do not need to be updated at this time!

I use the Duo Auth API, Verify API, Admin API, or Accounts API. Am I affected?

The Duo-supplied Python module (duo_client_python) and C library (libduo) for calling Duo APIs are affected.

The Duo-provided code in Java, Ruby, Perl, and C# is not affected. If you implemented your own code for connecting to the Duo service and did not do CA pinning, you are also not affected.

How can I tell if I need to upgrade duo_client_python?

If you installed duo_client_python from github as a library, the following will print out the version number:

python -c 'import duo_client ; print getattr(duo_client, "__version__")'

If this version number is 2.0, then please upgrade to the latest version from github. If you are using an earlier version or if the version number is “None” then the library API has changed. You will need to either port your code to the new version or copy in the new ca_certs.pem from https://github.com/duosecurity/duo_client_python/blob/master/duo_client/ca_certs.pem

How do I upgrade my code that uses duo_client_python?

If you're using the Duo-supplied Python code for calling Duo APIs (available at https://github.com/duosecurity/duo_client_python), please upgrade to version 2.1 or higher.

Depending on how you installed the example code or imported it into your product, you may also be able to copy the current ca_certs.pem file found at https://github.com/duosecurity/duo_client_python/blob/master/duo_client/ca_certs.pem into an older version.

FAQ

What is Certificate Authority (CA) pinning?

Duo uses CA pinning to harden our integrations against attackers who may try to intercept communications between your applications and our service. "Pinning" means these integrations come with a minimal, built-in list of root certificate authorities who are the only CAs that will ever issue a SSL certificate to Duo. This significantly reduces the possibility of an attacker obtaining a fraudulent certificate to intercept communications.

Learn more about Certificate and Public Key Pinning

Does this have anything to do with the recent Heartbleed Bug?

No. Duo never provided any application software that included versions of OpenSSL vulnerable to the Heartbleed Bug. However, if your operating system or other software includes a copy of OpenSSL, we recommend you ensure it is up-to-date.

Duo’s cloud service was fully patched and protected against Heartbleed within hours of the vulnerability being publicly disclosed.

Read our Response to OpenSSL Heartbleed