Hello,

I was testing Duo AlmaLinux9 (RHEL 9 derivative) and found an issue with the Duo RPM registry. After getting some help from AlmaLinux community, I found out that that AlmaLinux9 (and presumably other RHEL9 derivatives) have disabled SHA1 signatures by default, which Duo uses.

I’m going a bit off the road with this one because there’s not an official Duo build for EL9 yet (hope there is). I’m actually using the EL8 builds for an EL9 distro.

The issue presents like this:

root@localhost# rpm --import https://duo.com/DUO-GPG-PUBLIC-KEY.asc
error: https://duo.com/DUO-GPG-PUBLIC-KEY.asc: key 1 import failed.

The work-around is pretty straight forward:

root@localhost# update-crypto-policies --set DEFAULT:SHA1

To return the system to a normal state:

root@localhost# update-crypto-policies --set DEFAULT

Additionally, you need to install compat-openssl11 so pam_duo.so will work

root@localhost# dnf install -y compat-openssl11 duo_unix

The true fix is to update the repository signature keys to use SHA256 instead of SHA1, as well as producing a build for EL9 systems. Unfortunately that means rolling the keys. If Duo/Cisco has plans to do so, I’d like to know since this is a disruptive thing.

In the meantime, I hope this helps others.

References:

• RHEL9 Manual - 10.2. Crypto-policies, RHEL core cryptographic components, and protocols