My Duo Auth proxy appears to be failing all of my ssh logins after a 10 second interval. The timeout starts when the (console) user hits [ENTER] on their password, to the time they hit accept on the duo push. I’ve increased all timeouts I can find on my auth chain to 60 seconds but the 10 second fail still persists.
the [ad_client] stanza in my authproxy.cfg contains a timeout of 60 but the default is 10. I’m wondering if something is messed up here because this is the only 10 second timeout I can find anywhere.
Right when the ssh server logs pam_ldap: ldap_result Timed out in syslog, this message is logged in the auth proxy’s authproxy.log file:
Received extraneous LDAP PDU while resolving a BindRequest: LDAPMessage(id=5, value=LDAPBindRequest(version=3, dn=’’, auth=’**’, sasl=False), controls=None)
If I drop the user into bypass mode in the Duo admin panel, the problem isn’t there but not sure that means anything since there is no incorporated token or lock-screen delay after entering a password.
I can simulate a network “outage” to test the ssh server timeout by firewalling the connection to the auth proxy on the OUTPUT chain right before the password is entered. After 60 seconds of waiting around, syslog notes a failed auth attempt. This seems to suggest the 10 second issue is still upstream (auth proxy or LDAP servers).
Can someone offer some insight as to what might be going on here? Is the timeout in authproxy.cfg being ignored somehow and defaults being used?