02-23-2022 05:35 PM
I have many service accounts, all with UID numbers less than 1000 which use ssh, rsync over ssh and sftp. I do not want them to have to use Duo, since they are all accessed with scripts and have very limited access anyway. Root (UID=0) is turned off in sshd_config anyway so I do not care about it. How would I go about setting up /etc/pam.d/sshd to only use Duo for users whose UID is 1000 or higher?
03-24-2022 01:59 PM
You could try a match block for the special accounts
Match User service1, service2, service3, etc
AuthenticationMethods publickey gssapi-with-mic password
03-25-2022 04:36 AM
What I ended up doing was creating a group named “duo” into which I added all regular shell-based users, enforced through puppet. Then I added this into /etc/duo/pam_duo.conf
groups=duo
That took care of it for me.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide