I’m using pam_duo to add two-factor auth to SSH and sudo on my VPS running Ubuntu 14.04.5. I host a couple of websites on the server, and I want my users to be able to manage their files via SFTP without enrolling in Duo. I don’t want to give my users full SSH/shell access to the server if at all possible.
I have installed pam_duo according to the guide on the Duo website (https://duo.com/docs/duounix), and SSH/sudo two-factor is working great, but I’m having trouble excluding the SFTP users from Duo. All SFTP users are in their own sftpusers group, and I set the groups option in pam_duo.conf as follows per the suggestion from this community post: DUO Unix - only for SSH login (not for sftp, etc.)
groups = *,!sftpusers
I have also tried:
groups = !sftpusers,*
This seemed to work, but in both cases the system is now accepting anything as a valid password for an SFTP user. If I comment out the groups setting, SFTP users are denied access even with the correct password.
Everything works properly if I remove pam_duo from the system.
I’m not sure how to continue troubleshooting. Can anyone offer guidance on how to force Duo on SSH/sudo users, but bypass for the SFTP users?
Edited to include community post addressing SFTP users.
Edited to clarify title.
Removed configs per community guidelines.