Enable local server accounts without 2MFA

EDVAZ · ‎09-24-2019

On a Duo Linux configured RHEL 7 server which is synced with MS Active Directory, how do we configure the ability to enable local service accounts on the RHEL server to bypass Duo and use just a single password without 2MFA authentication to access server.

mheim · ‎09-25-2019

Hello EDVAZ,

Do you want the system local service account to authenticate to the Duo service or another server that is Duo over RDP/SSH protected?

In either case you will need to either implement a bypass code for the local service account or in the case of accessing another server that has Duo MFA over RDP/SSH, uninstalling that service.

If you don’t want to uninstall the Duo MFA remote access protection service, I would recommend creating the local service account in the Duo SaaS portal as a Duo user then create a bypass code for that user with an indefinite lifetime that can be used an indefinite amount of times.

This solution would effectively bypass Duo MFA but you would still need to implement the bypass code as a static credential in a script or task being performed by the local service account.

There are multiple downsides to this approach however:

The bypass code is 9 numeric digits (no alpha numeric or special characters).
The bypass code is static.
The bypass code does not expire.

When using this solution I would highly recommend managing the local service account with a PAS solution if it has privileged authority as implementing a permanent bypass code is not good security practice but can work functionality.

Hopefully the above is useful.

Let me know if it works.

Regards,

Mheim