Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1628
Views
0
Helpful
1
Replies

Duo 2FA in a loop

TBlaar
Level 1
Level 1

‎11-26-2018 04:49 AM

Hi there,

I have set up Duo on a client server that we manage. and retain root to. Our requirements are:

  1. No change to our users on the server (i.e no 2FA)
  2. 2FA only present for users who are in the duo2fa Unix group, and only after key and password auth has passed
  3. Duo account remains in client’s name (We do not want to manage SSH users via a control panel)

I’ve tested many scenarios and this mostly works for our users, but the client’s user keeps asking for 2FA even after I provide all the correct details.

My configs as follows:
/etc/pam.d/sshd:

@include common-auth
auth required pam_permit_if.so user ingroup duo2fa
auth required /lib64/security/pam_duo.so

What else is required to get the client’s user, which exists in the duo2fa group, to require an ssh key and password for auth, and then succeed once the 2FA succeeded?

Any help or pointing in the right direction would be appreciated.

Thanks!

Labels:
0 Helpful
1 Reply 1

DuoKristina
Cisco Employee
Cisco Employee

‎11-28-2018 06:32 AM

Did you edit common-author is it at the default values, so that pam_deny.so and pam_permit.so are invoked before the evaluation for group membership and then Duo MFA?

Duo, not DUO.
0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents