CentOS 7 and the "group" config setting


I’ve started to add a couple of linux servers into duo, and looking for some advice.

This server is running CentOS 7, and has a few local user accounts

root - needs duo
user1 - needs duo
user2 - uses ssh key login only, doesn’t need duo
user3 - needs duo

the base install and config works well for the root and user1 and user3 … but doesnt let user2 in the door (as expected) . I thought the answer was to have the

pushinfo = yes
groups = *,!user2

in the config file … that seems to allow user2 to login via ssh with no password prompt at all. which is not good. (other users with this config still get the duo prompt)

I’m assuming this is because the default install comments out the
auth substack password-auth
line in PAM?

Any ideas out there for this?



Yeah if you follow our docs directly we have you turn off password and instead use public key authentication.
I’m a little confused by your question though. I thought you said you wanted user2 to have ssh key login only. Do you also want a password?


We also have this help article about group membership that could be useful. Although I think it’s possible your groups are set up correctly already.


user2 normally logs in with a key, but has a backup password set, would like to keep password based login as a backup (there is a separate set of IDS/IPS filters that block repeated failed logins)


I’ll add that this is also something that someone might want to add to the documentation, since not everyone will realize that if they exclude a user from 2FA (and they have a password set for the user) the default documentation exposes that user account without a password.



PAM does provide some flexibility as to when/how to trigger 2FA.

For example, you can configure PAM to require 2FA for BOTH password and key login:

You can also configure PAM + SSH to fallback to password login if key based authentication fails, however, this requires the use of both pam_duo and login_duo

The one limitation that exists that does not meet your requirements is allowing fallback to password based auth on an individual user or group of users. I suppose that only users that DO have passwords set would trigger the fallback behavior you are looking for.



Does the group membership options in login_duo.conf support LDAP netgroups?


Hi Svieth!
This is something we haven’t been able to test yet, however, my hunch is that it will not work.
On the backend of things we are using http://man7.org/linux/man-pages/man3/getgrouplist.3.html to get the groups that a user belongs to. I’m not super familiar with LDAP netgroups, but if the LDAP netgroups do not show up as a result of that function then you won’t be able to use them in the group list in the login_duo.conf.