I have many service accounts, all with UID numbers less than 1000 which use ssh, rsync over ssh and sftp. I do not want them to have to use Duo, since they are all accessed with scripts and have very limited access anyway. Root (UID=0) is turned off in sshd_config anyway so I do not care about it. How would I go about setting up /etc/pam.d/sshd to only use Duo for users whose UID is 1000 or higher?
You could try a match block for the special accounts
Match User service1, service2, service3, etc AuthenticationMethods publickey gssapi-with-mic password
What I ended up doing was creating a group named “duo” into which I added all regular shell-based users, enforced through puppet. Then I added this into /etc/duo/pam_duo.conf
That took care of it for me.