Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2705
Views
3
Helpful
2
Replies

Duo Unix - exclude root when logging in with keyboard?

lee5
Level 1
Level 1

‎12-29-2018 08:08 AM

I’ve got duo unix installed on a remote dedicated server running ubuntu 16.04 LTS. I’ve installed it per the instructions and everything is working great. SSH logins and sudo invocations get challenged with a duo prompt, which is exactly what I want.

However, last night the server suffered a failed drive and the hosting company techs needed to log in to replace & rebuild the drive. The failed drive was part of a software raid 1 set and the techs wanted local root access via IPMI to do the necessary mdadm voodoo to rebuild the mirror.

Fortunately, when they contacted me with the trouble ticket, I was in a spot where I could immediately log onto the server and temporarily disable duo, which seemed to be the most expedient way to get them logged in so the problem could be fixed.

It seems like it would be easier for future incidents if I could exclude the root account from duo protection so that they can log in as needed. I already have root login via ssh disabled, so my understanding is this wouldn’t broaden my attack surface in any meaningful way (yes, keyboard root logins would be unprotected by duo, but if you’ve got physical access to the server, all bets are off anyway). There’s no PII on the server and my concern is with keeping potential attackers out, rather than datacenter techs on break/fix work.

tl;dr - Is there an easy way to exclude root from duo prompts? Would this potentially be as simple as logging into my duo admin console and creating a user named “root” and setting that user’s duo status to “bypass”? Or are there some config files to deal with? Also, am I overlooking any really obvious problems/issues by going this route?

Labels:
0 Helpful
2 Replies 2

gnyce
Level 1
Level 1

‎01-03-2019 04:40 AM

use ‘groups’ in /etc/duo/pam_duo.conf… e.g. “groups=*,!root”

If specified, Duo authentication is required only for users whose primary group or supplementary group list matches one of the space-separated pattern lists.

A pattern consists of zero or more non-whitespace characters, " * " (a wild card that matches zero or more characters), or " ? " (a wildcard that matches exactly one character).

A pattern-list is a comma-separated list of patterns. Patterns within pattern-lists may be negated by preceding them with an exclamation mark (" ! "). For example, to specify Duo authentication for all users (except those that are also admins), and for guests:

groups = users,!wheel,!*admin guests

lee5
Level 1
Level 1
In response to gnyce

‎01-03-2019 05:55 AM

Thank you, @gnyce - I believe that exactly addresses my use case!

Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents