I’m brand new here and looking to implement Duo for 2FA on some Linux machines. So far the documentation has been pretty much spot on and I’ve been able to install, configure, and use this with multiple users on a test CentOS 7.6 VM. I’m able to enable SELinux and configure it to allow for successful ssh logins, but it seems to break local logins. What happens is that I enter my password at the local login prompt and it seems to hang for a few seconds, then it simply forgoes the Duo 2FA and logs me in. So, it seem to break in a bad way as it allows the login instead of denying it. As I mentioned, ssh logins as well as sudo -i continues to work as expected with SELinux enabled, but not local logins.
Now I don’t pretend to have any real experience or knowledge with SELinux, so this may be a dumb question, but I’d like to know how, if possible, I can configure SELinux to allow Duo 2FA with both local and remote logins. I had experienced similar problems with FreeOTP which I had been experimenting with before. When I found out that my institution has a site license for Duo, I began to work on implementing my 2FA with Duo in lieu of FreeOTP.
As far as I can tell, this is a complete solution, if I can just get local logins to work with SELinux enabled, I’ll be done. Any help experts here can provide would be vastly appreciated. I’ve not yet reached out to Duo support properly as I’m not officially linked to the site license so I’m currently playing with a free account.
I can provide SELinux logs (i.e., /var/log/audit/audit.log data) and other salient information like sealert -l output as needed but I didn’t want to do that right away to keep this (my first post) clean.