Can DUO LDAP proxy work with SSH key based auth?


I have a DUO LDAP proxy setup on Linux. I’ve replaced my normal LDAP server IP address with my DUO LDAP Proxy IP address in /etc/ldap.conf and /etc/ldap/ldap.conf and all things LDAP seem to be proxying correctly.

We have ssh PasswordAuthentication set to no and PubkeyAuthentication set to yes on all the servers we manage. I am not sent a DUO push to my mobile when I login over ssh. Only when I sudo does DUO send the push. In retrospect, this makes sense since I’ve told ssh to ignore any password based auth.

Do I need to additionally setup pam_duo for this configuration or is there some other way I can tell ssh to include a DUO push for key based auth?


The Duo Authentication as LDAP server will only respond to LDAP bind operations. You will need to install Duo Unix (pam duo) to add MFA to pubkey auth.