Cannot make LDAP and DUO both authenticate


We have a configuration that currently makes use of DUO, and before we install DUO we ensure a working integration with LDAP for user logins.

Once we install DUO though, and follow the initial documents, we can get the auth requests from DUO … but the password can be any quickly typed keyboard mash and you still log in to the system.

I have tried a few alternate configurations of common-auth and sshd in /etc/pam.d , but none of them seem to allow me to auth with the password , and you then do not get a prompt from DUO

Can someone point me at the right documentation?



I’m using this successfully on CentOS 6 and 7 systems in password-auth-ac:

auth required
auth [default=1 success=ignore]
auth [success=1 default=ignore] nullok try_first_pass
auth requisite
auth sufficient
auth required

This is the only pam change I had to make. Before coming up with this config, I did come up with several that didn’t require passwords at all! The changes to sshd_config follow the documentation.