Can DUO LDAP proxy work with SSH key based auth?


#1

I have a DUO LDAP proxy setup on Linux. I’ve replaced my normal LDAP server IP address with my DUO LDAP Proxy IP address in /etc/ldap.conf and /etc/ldap/ldap.conf and all things LDAP seem to be proxying correctly.

We have ssh PasswordAuthentication set to no and PubkeyAuthentication set to yes on all the servers we manage. I am not sent a DUO push to my mobile when I login over ssh. Only when I sudo does DUO send the push. In retrospect, this makes sense since I’ve told ssh to ignore any password based auth.

Do I need to additionally setup pam_duo for this configuration or is there some other way I can tell ssh to include a DUO push for key based auth?


#2

The Duo Authentication as LDAP server will only respond to LDAP bind operations. You will need to install Duo Unix (pam duo) to add MFA to pubkey auth.