Compiling Duo Unix for SSH on Mac?

Tee · December 9, 2022, 5:19pm

I’m on a Mac with Ventura and wondering if I can add MFA to OpenSSH. It seems from this link that Duo Authentication only works for console logins (eg: NOT ssh) and to try Duo Unix if needing MFA for SSH Login protection. On the Duo Unix page however, many platforms are listed under Build and Install from Source however Mac OS isn’t one of them.

Anyone know if Mac OS works with Duo Unix or not?

Seems to be like one one person tried it in 2017. I downloaded Duo Unix today and tried building it but something is funky with the compiler flags. When running ./configure per the instructions I get:

checking whether compiling and linking against OpenSSL works... no
configure: error: in `/Users/tblader/src/duo/duo_unix-2.0.0':
configure: error: OpenSSL not found
See `config.log' for more details

Buuuut… OpenSSL has been installed via brew:

$ brew search openssl
==> Formulae
glib-openssl                              openslp                                   opensc                                    opencsg
openssl@1.1 ✔                             openssh                                   open-sp                                   openmsx
openssl@3 ✔

I’ve exported the proper variables as directed by the brew install command:

export LDFLAGS="-L/opt/homebrew/opt/openssl@3/lib"
export CPPFLAGS="-I/opt/homebrew/opt/openssl@3/include"

So I looked in config.log and found the compiler and linker commands along with the conftest.c program it was trying to compile:

Trying link with OPENSSL_LDFLAGS=; OPENSSL_LIBS=; OPENSSL_INCLUDES=
configure:13095: gcc -o conftest  -Wall -D_FORTIFY_SOURCE=2 -fPIE -fstack-protector  -I/opt/homebrew/opt/openssl@3/include   conftest.c   >&5

Undefined symbols for architecture arm64:
  "_SSL_new", referenced from:
      _main in conftest-1753b3.o

ld: symbol(s) not found for architecture arm64
clang: error: linker command failed with exit code 1 (use -v to see invocation)


#include <openssl/ssl.h>
int main ()
{
   SSL_new(NULL);
   return 0;
}
configure:13103: result: no

I made a conftest.c source file and tried compiling it by hand to make sure I was getting all the error messages:

$ export LDFLAGS="-L/opt/homebrew/opt/openssl@3/lib"; export CPPFLAGS="-I/opt/homebrew/opt/openssl@3/include"
$ gcc -o conftest -Wall -D_FORTIFY_SOURCE=2 -fPIE -fstack-protector  -I/opt/homebrew/opt/openssl@3/include   conftest.c 
Undefined symbols for architecture arm64:
  "_SSL_new", referenced from:
      _main in conftest-c151b6.o
ld: symbol(s) not found for architecture arm64
clang: error: linker command failed with exit code 1 (use -v to see invocation)

Is this supposed to work or is this the reason MacOS isn’t listed on the Duo Unix page?

Hiro_Nakano · December 10, 2022, 11:18pm

Hello @Tee

Welcome to Duo Security Community

Yes, our officially supported method to protect macOS is Duo Authentication for macOS.

It is possible to install Duo Unix on macOS, but we do not officially support this integration so please proceed at your own risk.

Please contact Duo Support to be added to the feature request.

Tee · December 12, 2022, 12:38pm

Hiro,
Thank you for clarifying. Our org has a new-ish security policy stating mandatory MFA for remote (ssh) access, and not just console logins, so kind of need to have this working… or tell everyone we need to switch from mac to a device with more complete support and that would not go so well.

After a lot of digging around the internet, I was able to get duo_unix-2.0.0 compiled over the weekend by symlinking openssl from the homebrew install location → /usr/local/include/openssl.

MFA with ssh is working for now but I’ll work with our Duo admins to get a feature request in.

Thanks!