Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3980
Views
0
Helpful
2
Replies

Bypassing 2 Factor Auth For SFTP Users

jjs1
Level 1
Level 1

‎08-24-2017 12:55 PM

Hello,

I’m using pam_duo to add two-factor auth to SSH and sudo on my VPS running Ubuntu 14.04.5. I host a couple of websites on the server, and I want my users to be able to manage their files via SFTP without enrolling in Duo. I don’t want to give my users full SSH/shell access to the server if at all possible.

I have installed pam_duo according to the guide on the Duo website (https://duo.com/docs/duounix), and SSH/sudo two-factor is working great, but I’m having trouble excluding the SFTP users from Duo. All SFTP users are in their own sftpusers group, and I set the groups option in pam_duo.conf as follows per the suggestion from this community post: DUO Unix - only for SSH login (not for sftp, etc.)

groups = *,!sftpusers

I have also tried:

groups = !sftpusers,*

This seemed to work, but in both cases the system is now accepting anything as a valid password for an SFTP user. If I comment out the groups setting, SFTP users are denied access even with the correct password.

Everything works properly if I remove pam_duo from the system.

I’m not sure how to continue troubleshooting. Can anyone offer guidance on how to force Duo on SSH/sudo users, but bypass for the SFTP users?

Edited to include community post addressing SFTP users.
Edited to clarify title.
Removed configs per community guidelines.

Labels:
0 Helpful
2 Replies 2

Dooley
Level 3
Level 3

‎08-30-2017 11:47 AM

hi jjs,

I went over this with some of our engineers, and we’ll need to see your configuration and logs before we can troubleshoot further. Please get in touch with our Support Team at your earliest convenience and they’ll be able to help you out. Thanks!

0 Helpful

gnyce
Level 1
Level 1

‎09-06-2017 07:19 PM

I had a similiar question, support directed me here: https://help.duo.com/s/article/ka070000000fzxYAAQ/2231?language=en_US

I can confirm it works. We then had a different issue, as some of our users are local (/etc/passwd), and some are in AD (via SSSD), but minus that, the instructions above worked for me

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents