Duo-unix on ubuntu 14.04LTS -- Permission denied?


#1

Hello all,

Sorry if this is not the correct place for my question. I am new and trying to learn. Please let me know and I will move/delete this.

I am trying to set up duo-unix to do 2FA + ssh-key authentication on a linux VM (ubuntu 14.04) as a test. I am using the ubuntu repository supplied in the guide/doc here :: https://duo.com/docs/duounix

My current steps are:

ubuntu@duo2fa-test-free:~ sudo apt-get install build-essential libss-dev ubuntu@duo2fa-test-free:~ sudo apt-get update && sudo apt-get upgrade -y
ubuntu@duo2fa-test-free:~ curl -s https://duo.com/■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■/Ubuntu trusty main' | sudo tee /etc/apt/sources.list.d/duosecurity.list ubuntu@duo2fa-test-free:~ sudo apt-get update && sudo apt-get install duo-unix

ubuntu@duo2fa-test-free:~$ cat <<EOF | sudo tee /etc/duo/duo_login.conf
ikey =
skey =
host =
groups = users,!root
failmode = safe
pushinfo = yes
http_proxy = http://cloud-proxy:3128/
autopush = yes
motd = yes
prompts = 1
accept_env_factor = no
fallback_local_ip = no
https_timeout = 0
EOF

ubuntu@duo2fa-test-free:~$ /usr/sbin/login_duo
Couldn’t open /etc/duo/login_duo.conf: Permission denied

On top of this my environment seems to be somewhat broken as well::

ubuntu@duo2fa-test-free:~ exit logout ubuntu@duo2fa-test-free:~ exit
Connection to 172.16.135.16 closed.
lookcrabs@local:~$ ssh -Al ubuntu 172.16.135.16
Couldn’t open /etc/duo/login_duo.conf: Permission denied

I have tried this on multiple fresh ubuntu 14.04 vms on digitalocean and on my local laptop with the same result. I have also built from source and again i get permission denied without any form of prompt for an authenticator.

Is there a way to enforce 2fa for non-root users without locally installing login_duo?


#2

Are you trying to install PAM Duo or Login Duo? You linked to the PAM doc but then mention duo_login.conf (so, Login Duo).

In the enabling section of Logon Duo’s instruction we do warn you that ForceCommand does run login_duo using the user’s shell.

To deploy Duo Unix to everyone, we recommend following the PAM Duo instructions. Have you tried following that process yet?