Excluding users/groups in login_duo


If I am using global policy, the exceptions with “groups” parameter still work for login_duo ?
It is currently working for me. But is it really a feature or a loophole ? For me these two things seems to be contradictory.

Hi @sreekand, great question! The order in which Duo policies are enforced can be a bit confusing. Group policies take precedence and override both application and global policies. A good rule of thumb to keep in mind is that the most specific policy will apply for a given scenario.

Please take a look at the explanation in this help article on how Duo policies are enforced for more details!

Hi @Amy,

Thanks a lot for the clarification. But I believe still there is a confusion, the one I mentioned is not group policies. But about the OS groups that we mention in our /etc/duo/login_duo.conf file. I have noticed if I use groups parameter, only those users (belong to the group) will be enforced with two factor authentication. All other users will be bypassed from 2FA. Please see the screenshot below.

Ah, thank you for clearing that up! I did misunderstand your initial question. Yes this is intentional. This is explained in our documentation for Duo Unix - Two Factor Authentication for SSH (login_duo) under Enable Login Duo in the Installation instructions, and there are more details in the Duo Configuration Options under groups as well. I hope that helps!

P.S. I edited your post to remove the screenshot, because it contained your Secret key which should never be shared publicly, even with Duo. Please be careful when sharing screenshots in the community to remove any info that should not be shared. :slight_smile:

1 Like

@Amy , Thank you very much. Already referred the documentation, but wanted to check and confirm with someone who has more expertise.

And thank you for reminding me about the keys…I overlooked the key information.

1 Like