Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1921
Views
0
Helpful
1
Replies

How to use Duo for both local and remote logins with SELinux

ehereth
Level 1
Level 1

‎03-28-2019 02:06 PM

Community,

I’m brand new here and looking to implement Duo for 2FA on some Linux machines. So far the documentation has been pretty much spot on and I’ve been able to install, configure, and use this with multiple users on a test CentOS 7.6 VM. I’m able to enable SELinux and configure it to allow for successful ssh logins, but it seems to break local logins. What happens is that I enter my password at the local login prompt and it seems to hang for a few seconds, then it simply forgoes the Duo 2FA and logs me in. So, it seem to break in a bad way as it allows the login instead of denying it. As I mentioned, ssh logins as well as sudo -i continues to work as expected with SELinux enabled, but not local logins.

Now I don’t pretend to have any real experience or knowledge with SELinux, so this may be a dumb question, but I’d like to know how, if possible, I can configure SELinux to allow Duo 2FA with both local and remote logins. I had experienced similar problems with FreeOTP which I had been experimenting with before. When I found out that my institution has a site license for Duo, I began to work on implementing my 2FA with Duo in lieu of FreeOTP.

As far as I can tell, this is a complete solution, if I can just get local logins to work with SELinux enabled, I’ll be done. Any help experts here can provide would be vastly appreciated. I’ve not yet reached out to Duo support properly as I’m not officially linked to the site license so I’m currently playing with a free account.

I can provide SELinux logs (i.e., /var/log/audit/audit.log data) and other salient information like sealert -l output as needed but I didn’t want to do that right away to keep this (my first post) clean.

Please help?

Thanks!

Labels:
0 Helpful
1 Reply 1

ehereth
Level 1
Level 1

‎04-03-2019 03:24 PM

Good afternoon folks, I believe I’ve found a fix to this problem. I reached out to Duo support and their official response seems to be that “SELInux is not currently supported” and they didn’t help. I did some digging, and, from this Red Hat bugzilla report, which let me to this set of instructions, I was able to configure SELinux to allow all forms of Duo 2FA I need (ssh, sudo, local logins). I simply applied the following SELinux boolean config and local logins worked: setsebool -P authlogin_yubikey 1.

This may not be the best or most proper solution, but it does seem to work for me. Hopefully this will be useful to others looking for help. Any feedback, hopefully constructive, is most welcome.

Cheers!

0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents