cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2967
Views
0
Helpful
1
Replies

DUO Unix - only for SSH login (not for sftp, etc.)

condatis1
Level 1
Level 1

Hello,
i followed the instructions to install DUO unix to allow 2FA also for loging in via SSH to linux servers.

Now any time i login the push notification appears on the phones of the users.

Is there a way to exclude the SFTP service and SUDO from this ?
I would like to authenticate even with 2FA when i login with SSH to the servers but i want to exclude SFTP and if possible sudo. SFTP would be acceptable if its appearing only one time but it is appearing every time a “save” command is executed.

Or is the approach to create separate users for SFTP service without DUO ?

Thank you for help !

1 Reply 1

DuoKristina
Cisco Employee
Cisco Employee

Aloha condatis1!

Unfortunately, there doesn’t seem to be a way to separate out ssh from sftp logins with Duo Unix because you apply pam_duo to the whole sshd stack. You may need to create a separate user for sftp logins without two-factor authentication. You could put these users in a certain group and then use the pam_duo.conf option groups to exclude those group members from Duo authentication.

To avoid invoking Duo for sudo you can simply refrain from adding pam_duo.so to common-auth or system-auth system-wide authentication and just configure sshd in the PAM stack.

Thanks for using Duo!

Duo, not DUO.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links