Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2224
Views
0
Helpful
2
Replies

Duo UNIX with Multiple MSP Accounts

BSC01
Level 1
Level 1

‎01-01-2019 04:02 PM

Hi,

we are testing Duo UNIX in a multi-tenanted hosting environment for SSH access. The UNIX users accessing the Linux servers are in two different groups with two different MSP accounts. At a high level the users are grouped into “admins” which comes from one MSP account, and “developers” which comes from another MSP account.

We have setup the Duo UNIX application in each of the MSP accounts. We have the ikey and skey available for each of the MSP accounts however when configuring the /etc/duo/pam_duo.conf file there is only an option to setup one of the ikey and skey values which would make is choose to have Duo on either the “admins” or the “developers”.

Is there an option available to setup /etc/duo/pam_duo.conf to use specific ikey and skey values based on the user group?

Thanks,

Mark

0 Helpful
2 Replies 2

MacD1
Level 1
Level 1

‎01-04-2019 06:30 AM

Hi BurgeAU,

Thank you for reaching out to the community regarding your Pam setup.

Presently Duo only integrates at a system wide level and does not offer the ability to utilize user groups for a single Duo Integration. Each installation can only tie to one individual Duo account through the iKey and sKey. However, given how the PAM stack can build logic for different User/Groups and if you can use absolute paths to differentiate, then it should be possible to call different Duo Conf files (which would have different iKey and sKeys) based on the group memberships of the user logging in. This however is not a documented deployment for Duo and would require some advance knowledge of the PAM stack to setup correctly.

The alternative two options you have:

  1. You can replicate users into the second MSP account that is tied to the iKey and sKey of the PAM integration.
  2. You could consolidate all accounts into a single instance and then manage your MSP customers based on group membership.

Please let me know if you have any further questions.

Thanks

Scott

0 Helpful

BSC01
Level 1
Level 1

‎03-18-2019 02:21 PM

Thanks Scott.

Is there a way to specify the conf file for the pam module? I had a look through the code and could not see how it would be done. If we can pass in a specific conf file to the pam module we can work out the group mappings from there.

Cheers,

Mark

0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents