EPEL repo has duo_unix but it's missing files

Hi there, I noticed there was an update of duo_unix package for Linux. I went ahead and installed it not realising that it was pulling from EPEL and not the duosecurity repo I had originally installed from. Once it’s installed, it pretty much ceases to function. There are several issues but one of the most important being that pam_duo.so is missing from it. I reversed the upgrade, but it leave some questions.

Any idea how/why duo_unix has appeared in EPEL (with a later version than duosecurity has) and why it’s way smaller in size and doesn’t function?

Descriptions of install/available below:

Installed Packages ( This works fine)
Name : duo_unix
Version : 1.12.1
Release : 0.el8
Architecture : x86_64
Size : 984 k
Source : duo_unix-1.12.1-0.el8.src.rpm
Repository : @System
From repo : duosecurity
Summary : Duo two-factor authentication for Unix systems
URL : https://www.duosecurity.com
License : GPLv2
Description : Duo two-factor authentication for Unix systems

Available Packages (This doesn’t work)
Name : duo_unix
Version : 1.12.1
Release : 3.el8
Architecture : x86_64
Size : 68 k
Source : duo_unix-1.12.1-3.el8.src.rpm
Repository : epel
Summary : Duo two-factor authentication for UNIX systems
URL : http://www.duosecurity.com/
License : GPLv2
Description : Duo provides simple two-factor authentication as a service via:
:
: 1. Phone callback
: 2. SMS-delivered one-time passcode
: 3. Duo mobile app to generate one-time passcode
: 4. Duo mobile app for smartphone push authentication
: 5. Duo hardware token to generate one-time passcode
:
: This package allows an admin (or ordinary user) to quickly add Duo
: authentication to any UNIX login without setting up secondary user
: accounts, directory synchronization, servers, or hardware.

We noticed this today as well.

It appears that the ‘duo_unix’ package from EPEL is missing the ‘pam_duo.so’ library and that is now optionally installed via the ‘pam_duo’ package from EPEL.

1 Like

It also wasn’t on many of the mirrors. Which made a potential supply chain attack a possibility. Fortunately that meant that not many of our hosts pulled it.

Also ran into this. For a workaround, I have added exclude=duo_unix to the epel repo config file.

have not tested it myself, but it looks like a fix has been pushed out:
https://bugzilla.redhat.com/show_bug.cgi?id=2134160

The duo_unix package in EPEL now recommends pam_duo