DUO with LDAP hosted public keys


My setup is to use DUO with publickey authentication over SSH. The keys are stored in LDAP.

When following the documentation for setting up DUO with UNIX, I’m running into a problem. I’ve verified that DUO is working by commenting out my pam_ldap.so line in /etc/pam.d/sshd. When I remove that comment, authentication fails.

I believe I’ve tracked that down to the following in sshd_config:


AuthenticationMethods publickey,keyboard-interactive

With this config, the LDAP authentication fails, since it is expecting keyboard-interactive, which is not going to work with a key exchange.

I've changed that line to the following:

    AuthenticationMethods publickey publickey,keyboard-interactive

Now, the LDAP piece works, but I never get prompted to authenticate with DUO, which defeats the whole purpose.

Is there something I'm missing here?