Duo can be easily added to any Unix system to protect remote (SSH) logins with the addition of a simple login_duo module. It has been tested on Linux (RedHat, Fedora, CentOS, Debian, Ubuntu, Amazon Linux), BSD (FreeBSD, NetBSD, OpenBSD), Solaris, and AIX. The code is open-source and available on GitHub.
Duo Network Gateway provides SSH access to internal hosts without a VPN or jump host with trusted endpoint detection and session awareness. Learn more.
Duo can be enabled on any Unix system with the addition of a simple login_duo utility.
We recommend deploying our pam_duo module with Pluggable Authentication Modules (PAM) support instead of login_duo in most scenarios for the most secure and customizable experience, especially if port forwarding and tunneling is used in your environment.
This integration communicates with Duo's service on TCP port 443. Also, we do not recommend locking down your firewall to individual IP addresses, since these may change over time to maintain our service's high availability.
Before starting:
The security of your Duo application is tied to the security of your secret key (skey). Secure it as you would any sensitive credential. Don't share it with unauthorized individuals or email it to anyone under any circumstances!
login_duo PrerequisitesOpenSSL development headers and libraries are required for login_duo. When compiling on SUSE/SLES, the zlib package is also necessary.
| Dependency | Platform | Installation |
|---|---|---|
| OpenSSL | FreeBSD, NetBSD | Installed by default |
| Debian, Ubuntu | apt-get install libssl-dev |
|
| Red Hat, Fedora, CentOS, Amazon Linux | yum install openssl-devel |
|
| SUSE/SLES | zypper install libopenssl-devel |
|
| Solaris | pkg install openssl |
|
| AIX | 3rd party packages or source build | |
| zlib | SUSE/SLES | zypper install zlib-devel |
You also need a compiler like gcc installed on your system to build Duo Unix.
login_duoOnce the required dependencies are built and installed, download, build, and install duo_unix.
Download and extract the latest version of duo_unix (checksum). Change to the extracted directory (note your actual extracted directory name reflects the actual version downloaded; the example syntax below references version 1.10.5). View checksums for Duo downloads here.
$ wget https://dl.duosecurity.com/duo_unix-latest.tar.gz
$ tar zxf duo_unix-latest.tar.gz
$ cd duo_unix-1.10.5
Build and install duo_unix.
$ ./configure --prefix=/usr && make && sudo make installFor advanced build options, see the README file in the source tarball.
Once duo_unix is installed, edit login_duo.conf
(in /etc/duo or /etc/security) to add the integration key, secret key, and API hostname from your Duo Unix application.
[duo]
; Duo integration key
ikey = INTEGRATION_KEY
; Duo secret key
skey = SECRET_KEY
; Duo API hostname
host = API_HOSTNAMEYou may also add optional Duo configuration options to login_duo.conf. See the table in Duo Configuration Options for all available settings.
login_duoAs a regular user, test login_duo manually by running
$ /usr/sbin/login_duoOn some systems, you may instead have to run /usr/local/sbin/login_duo.
If everything is set up correctly, you'll be given an enrollment link and prompted to enroll:
Visit the URL, enroll your phone, and then try login_duo again, this time adding a command to run after authentication is complete:
$ /usr/sbin/login_duo echo 'YOU ROCK!'You should see something like this:
If you are having trouble with these steps, or if you aren't getting a Duo login prompt, try running login_duo with the -d flag to enable debug output.
login_duoTo protect remote access via SSH, use login_duo.
To enable two-factor authentication for any SSH login method (password, pubkey, etc.) for any user, edit your sshd_config (usually
in /etc or /etc/ssh) to add the following line:
This feature is only available with OpenSSH 4.4+.
ForceCommand /usr/sbin/login_duoThis ForceCommand directive instructs sshd to run login_duo (to perform two-factor authentication) before any other requested commands. However, according to the sshd documentation: "The command is invoked by using the user's login shell with the -c option." This means that shell rc files (e.g. .bashrc, .cshrc, etc.) execute before login_duo; if users can edit these files, they may be able to disable Duo authentication for their own accounts. Keep in mind that ForceCommand also disables command=. Mitigate these issues by deploying pam_duo instead of login_duo.
We strongly recommend that you disable PermitTunnel and AllowTcpForwarding in your sshd_config when using login_duo to protect SSH logins. Since OpenSSH sets up port forwarding and tunneling before Duo's two-factor challenge, an attacker may be able to access internal services via port forwarding before completing secondary authentication. Adding the following lines to your sshd_config will prevent this scenario:
PermitTunnel no
AllowTcpForwarding noYou can also optionally limit two-factor authentication to a subset of users whose primary or supplementary group is specified in
login_duo.conf. For example:
group = wheelIf you'd like to enable Duo only for specific accounts using SSH pubkeys, use the command option in those users' authorized_keys instead. For example, to verify each admin authorized to log into a shared root account, your ~/.ssh/authorized_keys might look something like this:
command="/usr/sbin/login_duo -f user1" ssh-dss FRP...FD== user1@company
command="/usr/sbin/login_duo -f user2" ssh-dss YUX...IO== user2@companyNow restart the SSH service.
This also works for user-local installations (e.g. in $HOME/bin) without root access — just specify the location of login_duo.conf with the -c flag.
To more easily install and maintain Duo Unix deployments, we've built Linux packages for a variety of popular distributions. These packages are tested against the specific listed versions of their respective distributions. Please test all packages thoroughly prior to deploying them into your environment to ensure a great experience.
The Duo GPG key available prior to August 27, 2018 has an expiration date of September 4th, 2018. You can identify this key by looking for the string Version: GnuPG v1.4.5 (GNU/Linux). If you have the old GPG key, be sure to download the new GPG key before downloading updated packages. The new GPG key contains the string Version: GnuPG v2.0.22 (GNU/Linux).
CentOS
Tested against 5.11 32/64-bit, 6.7 32/64-bit, and 7.1 64-bit
IMPORTANT: Duo Unix 1.10.5 is the last release with CentOS 5 support.
Create /etc/yum.repos.d/duosecurity.repo with the following contents:
[duosecurity]
name=Duo Security Repository
baseurl=http://pkg.duosecurity.com/CentOS/$releasever/$basearch
enabled=1
gpgcheck=1Execute the following shell commands:
# rpm --import https://duo.com/RPM-GPG-KEY-DUO
# yum install duo_unix
Ubuntu
Tested against 12.04.5 32/64-bit, 14.04.3 32/64-bit, and 18.04 32/64-bit
Create /etc/apt/sources.list.d/duosecurity.list with the following contents:
deb http://pkg.duosecurity.com/Ubuntu precise mainor
deb http://pkg.duosecurity.com/Ubuntu trusty mainExecute the following shell commands:
# curl -s https://duo.com/APT-GPG-KEY-DUO | sudo apt-key add -
# apt-get update && apt-get install duo-unix
Red Hat Enterprise Linux
Tested against 5.10 32/64-bit, 6.4 32/64-bit, and 7.0 64-bit
Create /etc/yum.repos.d/duosecurity.repo with the following contents:
[duosecurity]
name=Duo Security Repository
baseurl=http://pkg.duosecurity.com/RedHat/$releasever/$basearch
enabled=1
gpgcheck=1Execute the following shell commands:
# rpm --import https://duo.com/RPM-GPG-KEY-DUO
# yum install duo_unix
Debian
Tested against 6.0.10 32/64-bit, 7.9 32/64-bit, and 8.2 32/64-bit
Create /etc/apt/sources.list.d/duosecurity.list with the following contents:
deb http://pkg.duosecurity.com/Debian squeeze mainor
deb http://pkg.duosecurity.com/Debian wheezy mainor
deb http://pkg.duosecurity.com/Debian jessie mainExecute the following shell commands:
# curl -s https://duo.com/APT-GPG-KEY-DUO | sudo apt-key add -
# apt-get update && apt-get install duo-unix
Need some help? Take a look at the Duo UNIX Frequently Asked Questions (FAQ) page or try searching our Duo UNIX Knowledge Base articles or Community discussions. For further assistance, contact Support.
The login_duo.conf configuration files use the INI format. It can take the following options:
| Key | Required? | Description | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|
ikey
|
Required | Your integration key | ||||||||
skey
|
Required | Your secret key | ||||||||
host
|
Required |
Your API hostname i.e. api-XXXXXXXX.duosecurity.com
|
||||||||
groups
|
Optional |
If specified, Duo authentication is required only for users whose primary group or supplementary group list matches one of the space-separated pattern lists. A pattern consists of zero or more non-whitespace characters, " A pattern-list is a comma-separated list of patterns. Patterns within pattern-lists may be negated by preceding them with an exclamation mark ("
|
||||||||
failmode
|
Optional |
On service or configuration errors that prevent Duo authentication, fail "safe" (allow access) or "secure" (deny access). The default is "safe". |
||||||||
pushinfo
|
Optional |
Include information such as the command to be executed in the Duo Push message. Either "yes" or "no". The default is "no". |
||||||||
http_proxy
|
Optional |
Use the specified HTTP proxy, same format as the |
||||||||
autopush
|
Optional |
Either "yes" or "no". Default is "no". If "yes", Duo Unix will automatically send a push login request to the user's phone, falling back on a phone call if push is unavailable. Note that this effectively disables passcode authentication. If "no", the user will be prompted to choose an authentication method. When configured with |
||||||||
motd
|
Optional |
Print the contents of This option is only available for |
||||||||
prompts
|
Optional |
If a user fails to authenticate with a second factor, Duo Unix will prompt the user to authenticate again. This option sets the maximum number of prompts that Duo Unix will display before denying access. Must be 1, 2, or 3. Default is 3. For example, when When configured with |
||||||||
accept_env_factor
|
Optional |
Look for factor selection or passcode in the The SSH client will need Example:
You can also add a number to the end of these factor names if you have more than one device registered. For example, push2 will send a login request to your second phone, phone3 will call your third phone, etc. Default is This option is only available for |
||||||||
fallback_local_ip
|
Optional |
Duo Unix reports the IP address of the authorizing user, for the purposes of authorization and whitelisting. If Duo Unix cannot detect the IP address of the client, setting If you are using IP whitelisting ([Authorized Networks](/docs/remembered_devices#configuring-authorized-networks)), enabling this option could cause unauthorized logins if the local IP is listed in the whitelist. |
||||||||
https_timeout
|
Optional |
Set to the number of seconds to wait for HTTPS responses from Duo Security. If Duo Security takes longer than the configured number of seconds to respond to the preauth API call, the configured failmode is triggered. Other network operations such as DNS resolution, TCP connection establishment, and the SSL handshake have their own independent timeout and retry logic. Default is 0, which disables the HTTPS timeout. |
Example configuration file with additional options:
[duo]
ikey=DIXXXXXXXXXXXXXXXXXX
skey=X1hXztPX1rb1X71x1wXkpnmXXvqXXXqqj1XoXbbXu
host=api-xxxxxxxx.duosecurity.com
pushinfo=yes
autopush=yes
For more information, see the man page for login_duo.
