2FA with Active Directory managed Linux (RHEL7) machines

I’m trying to integrate DUO 2FA on RHEL7 machines managed by Active Directory through SSSD. Once I’ve ensured users can SSH into machine using AD credentials, I then

  1. Install duoauthproxy following instructions at LDAP | Duo Security
  2. Install duo PAM following instructions at Duo Unix - Two-Factor Authentication for SSH | Duo Security, except I do not make change to the PAM configuration
  3. modify the config files so:

/etc/pam.d/system-auth

auth       required pam_env.so
auth       required pam_faildelay.so delay=2000000
auth       [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth       [default=1 ignore=ignore success=ok] pam_localuser.so
auth       requisite pam_unix.so nullok try_first_pass
auth       requisite pam_succeed_if.so uid >= 1000 quiet_success
auth       requisite pam_sss.so forward_pass          # Changed sufficient to requisite
auth       sufficient pam_duo.so                      # Added <======================== 
auth       required pam_deny.so

account    required pam_unix.so
account    sufficient pam_localuser.so
account    sufficient pam_succeed_if.so uid < 1000 quiet
account    [default=bad success=ok user_unknown=ignore] pam_sss.so
account    required pam_permit.so

password   requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password   sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password   sufficient pam_sss.so use_authtok
password   required pam_deny.so

session    optional pam_keyinit.so revoke
session    required pam_limits.so
-session   optional pam_systemd.so
session    optional pam_oddjob_mkhomedir.so umask=0077
session    [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session    required pam_unix.so
session    optional pam_sss.so

/etc/pam.d/password-auth

auth       required pam_env.so
auth       required pam_faildelay.so delay=2000000
auth       [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth       [default=1 ignore=ignore success=ok] pam_localuser.so
auth       requisite pam_unix.so nullok try_first_pass
auth       requisite pam_succeed_if.so uid >= 1000 quiet_success
auth       requisite pam_sss.so forward_pass   # Changed sufficient to requisite
auth       sufficient pam_duo.so  # Added <======================== 
auth       required pam_deny.so

account    required pam_unix.so
account    sufficient pam_localuser.so
account    sufficient pam_succeed_if.so uid < 1000 quiet
account    [default=bad success=ok user_unknown=ignore] pam_sss.so
account    required pam_permit.so

password   requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password   sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password   sufficient pam_sss.so use_authtok


password   required pam_deny.so

session    optional pam_keyinit.so revoke
session    required pam_limits.so
-session   optional pam_systemd.so
session    optional pam_oddjob_mkhomedir.so umask=0077
session    [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session    required pam_unix.so
session    optional pam_sss.so

Important bits in /etc/ssh/sshd_config

PasswordAuthentication no
ChallengeResponseAuthentication yes
AuthenticationMethods keyboard-interactive

DUO doesn’t get triggered i.e., users can login using AD credentials like before as if DUO wasn’t installed at all. What am I missing here?

Try with pam_duo in /etc/pam.d/sshd. eg:

#%PAM-1.0
auth       required  pam_sepermit.so
# auth       substack     password-auth
auth       required   pam_env.so
auth       sufficient pam_duo.so
auth       required   pam_deny.so
auth       include      postlogin