Duo Unix - exclude root when logging in with keyboard?


#1

I’ve got duo unix installed on a remote dedicated server running ubuntu 16.04 LTS. I’ve installed it per the instructions and everything is working great. SSH logins and sudo invocations get challenged with a duo prompt, which is exactly what I want.

However, last night the server suffered a failed drive and the hosting company techs needed to log in to replace & rebuild the drive. The failed drive was part of a software raid 1 set and the techs wanted local root access via IPMI to do the necessary mdadm voodoo to rebuild the mirror.

Fortunately, when they contacted me with the trouble ticket, I was in a spot where I could immediately log onto the server and temporarily disable duo, which seemed to be the most expedient way to get them logged in so the problem could be fixed.

It seems like it would be easier for future incidents if I could exclude the root account from duo protection so that they can log in as needed. I already have root login via ssh disabled, so my understanding is this wouldn’t broaden my attack surface in any meaningful way (yes, keyboard root logins would be unprotected by duo, but if you’ve got physical access to the server, all bets are off anyway). There’s no PII on the server and my concern is with keeping potential attackers out, rather than datacenter techs on break/fix work.

tl;dr - Is there an easy way to exclude root from duo prompts? Would this potentially be as simple as logging into my duo admin console and creating a user named “root” and setting that user’s duo status to “bypass”? Or are there some config files to deal with? Also, am I overlooking any really obvious problems/issues by going this route?


#2

use ‘groups’ in /etc/duo/pam_duo.conf… e.g. “groups=*,!root”

If specified, Duo authentication is required only for users whose primary group or supplementary group list matches one of the space-separated pattern lists.

A pattern consists of zero or more non-whitespace characters, " * " (a wild card that matches zero or more characters), or " ? " (a wildcard that matches exactly one character).

A pattern-list is a comma-separated list of patterns. Patterns within pattern-lists may be negated by preceding them with an exclamation mark (" ! "). For example, to specify Duo authentication for all users (except those that are also admins), and for guests:

groups = users,!wheel,!*admin guests

#3

Thank you, @gnyce - I believe that exactly addresses my use case!