How to use Duo for both local and remote logins with SELinux



I’m brand new here and looking to implement Duo for 2FA on some Linux machines. So far the documentation has been pretty much spot on and I’ve been able to install, configure, and use this with multiple users on a test CentOS 7.6 VM. I’m able to enable SELinux and configure it to allow for successful ssh logins, but it seems to break local logins. What happens is that I enter my password at the local login prompt and it seems to hang for a few seconds, then it simply forgoes the Duo 2FA and logs me in. So, it seem to break in a bad way as it allows the login instead of denying it. As I mentioned, ssh logins as well as sudo -i continues to work as expected with SELinux enabled, but not local logins.

Now I don’t pretend to have any real experience or knowledge with SELinux, so this may be a dumb question, but I’d like to know how, if possible, I can configure SELinux to allow Duo 2FA with both local and remote logins. I had experienced similar problems with FreeOTP which I had been experimenting with before. When I found out that my institution has a site license for Duo, I began to work on implementing my 2FA with Duo in lieu of FreeOTP.

As far as I can tell, this is a complete solution, if I can just get local logins to work with SELinux enabled, I’ll be done. Any help experts here can provide would be vastly appreciated. I’ve not yet reached out to Duo support properly as I’m not officially linked to the site license so I’m currently playing with a free account.

I can provide SELinux logs (i.e., /var/log/audit/audit.log data) and other salient information like sealert -l output as needed but I didn’t want to do that right away to keep this (my first post) clean.

Please help?




Good afternoon folks, I believe I’ve found a fix to this problem. I reached out to Duo support and their official response seems to be that “SELInux is not currently supported” and they didn’t help. I did some digging, and, from this Red Hat bugzilla report, which let me to this set of instructions, I was able to configure SELinux to allow all forms of Duo 2FA I need (ssh, sudo, local logins). I simply applied the following SELinux boolean config and local logins worked: setsebool -P authlogin_yubikey 1.

This may not be the best or most proper solution, but it does seem to work for me. Hopefully this will be useful to others looking for help. Any feedback, hopefully constructive, is most welcome.