DUO Unix - only for SSH login (not for sftp, etc.)


#1

Hello,
i followed the instructions to install DUO unix to allow 2FA also for loging in via SSH to linux servers.

Now any time i login the push notification appears on the phones of the users.

Is there a way to exclude the SFTP service and SUDO from this ?
I would like to authenticate even with 2FA when i login with SSH to the servers but i want to exclude SFTP and if possible sudo. SFTP would be acceptable if its appearing only one time but it is appearing every time a “save” command is executed.

Or is the approach to create separate users for SFTP service without DUO ?

Thank you for help !


Bypassing 2 Factor Auth For SFTP Users
#2

Aloha condatis1!

Unfortunately, there doesn’t seem to be a way to separate out ssh from sftp logins with Duo Unix because you apply pam_duo to the whole sshd stack. You may need to create a separate user for sftp logins without two-factor authentication. You could put these users in a certain group and then use the pam_duo.conf option groups to exclude those group members from Duo authentication.

To avoid invoking Duo for sudo you can simply refrain from adding pam_duo.so to common-auth or system-auth system-wide authentication and just configure sshd in the PAM stack.

Thanks for using Duo!