Duo 2FA in a loop


#1

Hi there,

I have set up Duo on a client server that we manage. and retain root to. Our requirements are:

  1. No change to our users on the server (i.e no 2FA)
  2. 2FA only present for users who are in the duo2fa Unix group, and only after key and password auth has passed
  3. Duo account remains in client’s name (We do not want to manage SSH users via a control panel)

I’ve tested many scenarios and this mostly works for our users, but the client’s user keeps asking for 2FA even after I provide all the correct details.

My configs as follows:
/etc/pam.d/sshd:

@include common-auth
auth required pam_permit_if.so user ingroup duo2fa
auth required /lib64/security/pam_duo.so

What else is required to get the client’s user, which exists in the duo2fa group, to require an ssh key and password for auth, and then succeed once the 2FA succeeded?

Any help or pointing in the right direction would be appreciated.

Thanks!


#2

Did you edit common-author is it at the default values, so that pam_deny.so and pam_permit.so are invoked before the evaluation for group membership and then Duo MFA?