Bypassing 2 Factor Auth For SFTP Users


#1

Hello,

I’m using pam_duo to add two-factor auth to SSH and sudo on my VPS running Ubuntu 14.04.5. I host a couple of websites on the server, and I want my users to be able to manage their files via SFTP without enrolling in Duo. I don’t want to give my users full SSH/shell access to the server if at all possible.

I have installed pam_duo according to the guide on the Duo website (https://duo.com/docs/duounix), and SSH/sudo two-factor is working great, but I’m having trouble excluding the SFTP users from Duo. All SFTP users are in their own sftpusers group, and I set the groups option in pam_duo.conf as follows per the suggestion from this community post: DUO Unix - only for SSH login (not for sftp, etc.)

groups = *,!sftpusers

I have also tried:

groups = !sftpusers,*

This seemed to work, but in both cases the system is now accepting anything as a valid password for an SFTP user. If I comment out the groups setting, SFTP users are denied access even with the correct password.

Everything works properly if I remove pam_duo from the system.

I’m not sure how to continue troubleshooting. Can anyone offer guidance on how to force Duo on SSH/sudo users, but bypass for the SFTP users?

Edited to include community post addressing SFTP users.
Edited to clarify title.
Removed configs per community guidelines.


#2

hi jjs,

I went over this with some of our engineers, and we’ll need to see your configuration and logs before we can troubleshoot further. Please get in touch with our Support Team at your earliest convenience and they’ll be able to help you out. Thanks!


#3

I had a similiar question, support directed me here: https://help.duo.com/s/article/ka070000000fzxYAAQ/2231?language=en_US

I can confirm it works. We then had a different issue, as some of our users are local (/etc/passwd), and some are in AD (via SSSD), but minus that, the instructions above worked for me