Duo Linux - Password AND Push Authenticatoins


#1

Good Morning! I’m running into some issues with doing an implementation of Duo on a few servers in my Linux environment.

I’m following pretty accurately the guide that is posted at Duo Unix - 2FA for SSH with PAM Support (pam_duo) | Duo Security and I’ve noticed something. When I enter in a username that’s in Duo, it’ll take me right to the Duo screen, asking for either an SMS code, a phone code, or a push. It never prompts me for a password. This is not the behavior I am looking for. I am looking for it to allow me to enter in a password, and then prompt me for a Duo Push, so a true 2FA.

We’re only looking to do this on a password login right now, so I’m only concerned about the system-auth file. I’m running Oracle Linux 7, so I’m using the instructions designed for RHEL7 currently.

Also, how do I make sure the root account is excluded from a Duo 2FA?


#2

Good news, one of my co-workers has solved this issue, we’re using the login_duo module and added the command post-login.

Two other thoughts:

  1. is there a way to limit this to people who log in using a specific port? We have a server which allows logins on both the standard SSH port and a non-standard port, and we want to use Duo only on the non-standard port.

  2. What’s the easiest way to exclude ONLY the root user on this?