Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3194
Views
0
Helpful
7
Replies

2FA with Public Key Authentication and Password for SSH with PAM Support (pam_duo)

tenajsystems
Level 1
Level 1

‎06-19-2019 09:09 AM

I have followed this link: Duo Unix - 2FA for SSH with PAM Support (pam_duo) | Duo Security on how to setup DUO 2FA with Public Key Authentication. Is there a way to also add Password Authentication to it so that Users who decide to use SSH keys only have to accept the DUO prompt(and not have to type in their password) and users who decide to not use SSH keys but use password will get the DUO prompt?

Any assistance with this would be very much appreciated.

Labels:
0 Helpful
7 Replies 7

Amy2
Level 5
Level 5

‎06-21-2019 11:10 AM

Hi tenajsystems,

What you are asking for is possible, but not wholeheartedly recommended. In your /etc/ssh/sshd_config file you can set:

UsePAM no
ChallengeResponseAuthentication no
PasswordAuthentication yes
PubKeyAuthentication yes
PasswordAuthentication yes
ForceCommand /usr/sbin/login_duo

This configuration does not use PAM.

We do not completely support this method because of a potential security risk from using ForceCommand to open a new shell. There is potential for someone to configure the bashrc to open a shell before the shell protected by Duo loads.

0 Helpful

tenajsystems
Level 1
Level 1

‎06-21-2019 11:26 AM

@Amy Can what I described be done with PAM(using the pam_duo and not the login_duo)?

0 Helpful

Amy2
Level 5
Level 5
In response to tenajsystems

‎06-21-2019 11:29 AM

No, you can only achieve what you describe using the login_duo.

0 Helpful

leffler_media
Level 1
Level 1

‎01-28-2022 09:02 AM

Is this still impossible to do only using pam_duo?

0 Helpful

Amy2
Level 5
Level 5
In response to leffler_media

‎02-03-2022 08:48 AM

Hi @leffler_media,
Yes, this is still not possible with pam_duo. If you would like to use either password or SSH key authentication with Duo Unix, it can only be done with login_duo per the article linked here. If you wanted to use both pubkey and password, that is possible with pam_duo. See the article How do I enable pam_duo to use both passwords and public key authentication?

0 Helpful

David_McMillan
Level 1
Level 1
In response to Amy2

‎02-27-2022 05:12 AM

When will Duo have this working with pam_duo? Duo should offer an option that is flexible enough to allow the option of either password or public key without introducing another security risk or providing an option that they don’t fully recommend.

0 Helpful

Amy2
Level 5
Level 5
In response to David_McMillan

‎02-28-2022 06:03 AM

Hi David, there is currently no ETA for when this will be available, and we are not able to share timelines publicly in the Community anyway due to the fact that timelines may change with evolving circumstances. There is an open feature request for this functionality, however, and it is under consideration for the future. Anyone who is interested should contact Duo Support, or their Customer Success Manager or Account Executive, if applicable, to be added to the request.

0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents