Duo UNIX with Multiple MSP Accounts



we are testing Duo UNIX in a multi-tenanted hosting environment for SSH access. The UNIX users accessing the Linux servers are in two different groups with two different MSP accounts. At a high level the users are grouped into “admins” which comes from one MSP account, and “developers” which comes from another MSP account.

We have setup the Duo UNIX application in each of the MSP accounts. We have the ikey and skey available for each of the MSP accounts however when configuring the /etc/duo/pam_duo.conf file there is only an option to setup one of the ikey and skey values which would make is choose to have Duo on either the “admins” or the “developers”.

Is there an option available to setup /etc/duo/pam_duo.conf to use specific ikey and skey values based on the user group?




Hi BurgeAU,

Thank you for reaching out to the community regarding your Pam setup.

Presently Duo only integrates at a system wide level and does not offer the ability to utilize user groups for a single Duo Integration. Each installation can only tie to one individual Duo account through the iKey and sKey. However, given how the PAM stack can build logic for different User/Groups and if you can use absolute paths to differentiate, then it should be possible to call different Duo Conf files (which would have different iKey and sKeys) based on the group memberships of the user logging in. This however is not a documented deployment for Duo and would require some advance knowledge of the PAM stack to setup correctly.

The alternative two options you have:

  1. You can replicate users into the second MSP account that is tied to the iKey and sKey of the PAM integration.
  2. You could consolidate all accounts into a single instance and then manage your MSP customers based on group membership.

Please let me know if you have any further questions.




Thanks Scott.

Is there a way to specify the conf file for the pam module? I had a look through the code and could not see how it would be done. If we can pass in a specific conf file to the pam module we can work out the group mappings from there.