I’ve got duo unix installed on a remote dedicated server running ubuntu 16.04 LTS. I’ve installed it per the instructions and everything is working great. SSH logins and
sudo invocations get challenged with a duo prompt, which is exactly what I want.
However, last night the server suffered a failed drive and the hosting company techs needed to log in to replace & rebuild the drive. The failed drive was part of a software raid 1 set and the techs wanted local root access via IPMI to do the necessary
mdadm voodoo to rebuild the mirror.
Fortunately, when they contacted me with the trouble ticket, I was in a spot where I could immediately log onto the server and temporarily disable duo, which seemed to be the most expedient way to get them logged in so the problem could be fixed.
It seems like it would be easier for future incidents if I could exclude the root account from duo protection so that they can log in as needed. I already have root login via ssh disabled, so my understanding is this wouldn’t broaden my attack surface in any meaningful way (yes, keyboard root logins would be unprotected by duo, but if you’ve got physical access to the server, all bets are off anyway). There’s no PII on the server and my concern is with keeping potential attackers out, rather than datacenter techs on break/fix work.
tl;dr - Is there an easy way to exclude root from duo prompts? Would this potentially be as simple as logging into my duo admin console and creating a user named “root” and setting that user’s duo status to “bypass”? Or are there some config files to deal with? Also, am I overlooking any really obvious problems/issues by going this route?