DUO for Linux SSH

Hello Duo,
I’m configuring DUO to protect SSH of our Linux servers (CentOS). I followed all steps in the guide but it doesn’t work. Could you please assist me to troubleshoot it?
My current configuration:

cat /etc/duo/pam_duo.conf

[duo]
; Duo integration key
ikey = ************************
; Duo secret key
skey = ***************************
; Duo API host
host = ***************************
; failmode = safe In the event of errors with this configuration file or connection to the Duo service
; this mode will allow login without 2FA.
; failmode = secure This mode will deny access in the above cases. Misconfigurations with this setting
; enabled may result in you being locked out of your system.
failmode = safe
; Send command for Duo Push authentication
pushinfo = yes

cat /etc/ssh/sshd_config

HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

SyslogFacility AUTHPRIV

AuthorizedKeysFile .ssh/authorized_keys

PasswordAuthentication no

ChallengeResponseAuthentication yes

GSSAPIAuthentication yes
GS■■■■■■■■■■■■■■■■■■■■ls no

UsePAM yes

X11Forwarding yes

UseDNS no

AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

Subsystem sftp /usr/libexec/openssh/sftp-server

cat /etc/pam.d/password-auth
#%PAM-1.0
#This file is auto-generated.
#User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
#auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_unix.so nullok try_first_pass
auth sufficient pam_duo.so
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account required pam_permit.so

password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok

password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so

In the logs I found the following:

/var/log/secure
Aug 4 15:20:50 centos-duo1 sshd[1607]: Failsafe Duo login for ‘root’ from 192.168.168.168: Couldn’t connect to **********************: Failed to connect
Aug 4 15:20:50 centos-duo1 sshd[1605]: Accepted keyboard-interactive/pam for root from 192.168.168.168 port 63600 ssh2
Aug 4 15:20:50 centos-duo1 sshd[1605]: pam_unix(sshd:session): session opened for user root by (uid=0)

The UNIX application is created in the DUO Admin portal. What is wrong? In the same network we have several Windows Computers and all of them are successfully protected.
On our Firewall I even don’t see any attempts to connect to the api-host from the Linux machine.

Very appreciate your help.

I found the reason: SELinux. I tried to create exception, but it failed:

[root@duo-centos1 duo_unix-1.11.4]# make -C pam_duo semodule
make: Entering directory /temp/duo_unix-1.11.4/pam_duo' make -f /usr/share/selinux/devel/Makefile make[1]: Entering directory /temp/duo_unix-1.11.4/pam_duo’
Compiling targeted authlogin_duo module
/usr/bin/checkmodule: loading policy configuration from tmp/authlogin_duo.tmp
/usr/bin/checkmodule: policy configuration loaded
/usr/bin/checkmodule: writing binary representation (version 19) to tmp/authlogin_duo.mod
Creating targeted authlogin_duo.pp policy package
rm tmp/authlogin_duo.mod.fc tmp/authlogin_duo.mod
make[1]: Leaving directory /temp/duo_unix-1.11.4/pam_duo' make: Leaving directory /temp/duo_unix-1.11.4/pam_duo’
[root@duo-centos1 duo_unix-1.11.4]# make -C pam_duo semodule-install
make: Entering directory /temp/duo_unix-1.11.4/pam_duo' bzip2 -9 authlogin_duo.pp make: bzip2: Command not found make: [semodule-install] Error 127 (ignored) install -d /usr/share/selinux/packages/ install -m 0644 authlogin_duo.pp.bz2 /usr/share/selinux/packages/ install: cannot stat ‘authlogin_duo.pp.bz2’: No such file or directory make: [semodule-install] Error 1 (ignored) semodule -i /usr/share/selinux/packages/authlogin_duo.pp.bz2 libsemanage.map_file: Unable to open /usr/share/selinux/packages/authlogin_duo.pp.bz2 **(No such file or directory).** libsemanage.semanage_direct_install_file: Unable to read file /usr/share/selinux/packages/authlogin_duo.pp.bz2 **(No such file or directory).** semodule: Failed on /usr/share/selinux/packages/authlogin_duo.pp.bz2! make: [semodule-install] Error 1 (ignored) make: Leaving directory /temp/duo_unix-1.11.4/pam_duo’

any suggestions?

solution:

yum install bzip2

1 Like