Good Morning! I’m running into some issues with doing an implementation of Duo on a few servers in my Linux environment.
I’m following pretty accurately the guide that is posted at Duo Unix - 2FA for SSH with PAM Support (pam_duo) | Duo Security and I’ve noticed something. When I enter in a username that’s in Duo, it’ll take me right to the Duo screen, asking for either an SMS code, a phone code, or a push. It never prompts me for a password. This is not the behavior I am looking for. I am looking for it to allow me to enter in a password, and then prompt me for a Duo Push, so a true 2FA.
We’re only looking to do this on a password login right now, so I’m only concerned about the system-auth file. I’m running Oracle Linux 7, so I’m using the instructions designed for RHEL7 currently.
Also, how do I make sure the root account is excluded from a Duo 2FA?