2FA with Active Directory managed Linux (RHEL7) machines

moazzem · ‎11-04-2021

I’m trying to integrate DUO 2FA on RHEL7 machines managed by Active Directory through SSSD. Once I’ve ensured users can SSH into machine using AD credentials, I then

Install duoauthproxy following instructions at LDAP | Duo Security
Install duo PAM following instructions at Duo Unix - Two-Factor Authentication for SSH | Duo Security, except I do not make change to the PAM configuration
modify the config files so:

/etc/pam.d/system-auth

auth       required pam_env.so
auth       required pam_faildelay.so delay=2000000
auth       [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth       [default=1 ignore=ignore success=ok] pam_localuser.so
auth       requisite pam_unix.so nullok try_first_pass
auth       requisite pam_succeed_if.so uid >= 1000 quiet_success
auth       requisite pam_sss.so forward_pass          # Changed sufficient to requisite
auth       sufficient pam_duo.so                      # Added <======================== 
auth       required pam_deny.so

account    required pam_unix.so
account    sufficient pam_localuser.so
account    sufficient pam_succeed_if.so uid < 1000 quiet
account    [default=bad success=ok user_unknown=ignore] pam_sss.so
account    required pam_permit.so

password   requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password   sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password   sufficient pam_sss.so use_authtok
password   required pam_deny.so

session    optional pam_keyinit.so revoke
session    required pam_limits.so
-session   optional pam_systemd.so
session    optional pam_oddjob_mkhomedir.so umask=0077
session    [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session    required pam_unix.so
session    optional pam_sss.so

/etc/pam.d/password-auth

auth       required pam_env.so
auth       required pam_faildelay.so delay=2000000
auth       [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth       [default=1 ignore=ignore success=ok] pam_localuser.so
auth       requisite pam_unix.so nullok try_first_pass
auth       requisite pam_succeed_if.so uid >= 1000 quiet_success
auth       requisite pam_sss.so forward_pass   # Changed sufficient to requisite
auth       sufficient pam_duo.so  # Added <======================== 
auth       required pam_deny.so

account    required pam_unix.so
account    sufficient pam_localuser.so
account    sufficient pam_succeed_if.so uid < 1000 quiet
account    [default=bad success=ok user_unknown=ignore] pam_sss.so
account    required pam_permit.so

password   requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password   sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password   sufficient pam_sss.so use_authtok


password   required pam_deny.so

session    optional pam_keyinit.so revoke
session    required pam_limits.so
-session   optional pam_systemd.so
session    optional pam_oddjob_mkhomedir.so umask=0077
session    [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session    required pam_unix.so
session    optional pam_sss.so

Important bits in /etc/ssh/sshd_config

PasswordAuthentication no
ChallengeResponseAuthentication yes
AuthenticationMethods keyboard-interactive

DUO doesn’t get triggered i.e., users can login using AD credentials like before as if DUO wasn’t installed at all. What am I missing here?

Stephen Carville · ‎11-24-2021

Try with pam_duo in /etc/pam.d/sshd. eg:

#%PAM-1.0
auth       required  pam_sepermit.so
# auth       substack     password-auth
auth       required   pam_env.so
auth       sufficient pam_duo.so
auth       required   pam_deny.so
auth       include      postlogin

SuperDeterrent · ‎03-24-2022

Did you discover what was the root cause?