CentOS 7 and the "group" config setting


#1

I’ve started to add a couple of linux servers into duo, and looking for some advice.

This server is running CentOS 7, and has a few local user accounts

root - needs duo
user1 - needs duo
user2 - uses ssh key login only, doesn’t need duo
user3 - needs duo

the base install and config works well for the root and user1 and user3 … but doesnt let user2 in the door (as expected) . I thought the answer was to have the

pushinfo = yes
groups = *,!user2

in the config file … that seems to allow user2 to login via ssh with no password prompt at all. which is not good. (other users with this config still get the duo prompt)

I’m assuming this is because the default install comments out the
auth substack password-auth
line in PAM?

Any ideas out there for this?

Thanks!


#2

Yeah if you follow our docs directly we have you turn off password and instead use public key authentication.
I’m a little confused by your question though. I thought you said you wanted user2 to have ssh key login only. Do you also want a password?


#3

We also have this help article about group membership that could be useful. Although I think it’s possible your groups are set up correctly already.
https://help.duo.com/s/article/2225?language=en_US


#4

user2 normally logs in with a key, but has a backup password set, would like to keep password based login as a backup (there is a separate set of IDS/IPS filters that block repeated failed logins)


#5

I’ll add that this is also something that someone might want to add to the documentation, since not everyone will realize that if they exclude a user from 2FA (and they have a password set for the user) the default documentation exposes that user account without a password.


#6

mrivett,

PAM does provide some flexibility as to when/how to trigger 2FA.

For example, you can configure PAM to require 2FA for BOTH password and key login:
https://help.duo.com/s/article/3745

You can also configure PAM + SSH to fallback to password login if key based authentication fails, however, this requires the use of both pam_duo and login_duo
https://help.duo.com/s/article/2169

The one limitation that exists that does not meet your requirements is allowing fallback to password based auth on an individual user or group of users. I suppose that only users that DO have passwords set would trigger the fallback behavior you are looking for.

Regards,
Ryan