HowTo: pam_duo with AD integration via SSSD


Thanks to Ryan@Duo for talking through some of this via chat… I was able to figure it out, also reading the approach outlined here (though that approach never worked for me). I cannot swear that this does not have holes, but it works consistently in every scenario that we use.

How do I 1) enable pam_duo to use passwords and 2) exclude public key authentication and 3) use both local-accounts (/etc/passwd) as well as SSSD/Kerberos integration with 2FA.


Setting up Duo Unix (pam_duo) is relatively straightforward from the documentation, and Duo provides an additional help-article at if you want to use passwords. However, this does not play well if you are using (in our case) SSSD, RedHat’s offering that allows you to integrate with LDAP, AD, and so on (using a Kerberos ticket from your Windows PC will bypass 2FA completely, which we also do not want). Additionally, we needed to support both AD accounts as well as local-accounts (for our remote-monitoring NOC to login), and we wanted to use 2FA for all involved.

NOTE: in this setup, the Pubkey exceptions do NOT get prompted for 2FA, but that is how we want it for this setup. We exclude those accts via the “group” option in pam_duo.conf

Follow the pam_duo instructions at before making the following configuration changes.

Tested on RHEL6.x


PubkeyAuthentication no
PasswordAuthentication yes
ChallengeResponseAuthentication yes
UsePAM yes
UseDNS no

<snip – go to end of the file>

#edits for 2FA and any PubKey auth
#add any account that IS using public-key authentication
Match User oracle,grid
PubkeyAuthentication yes

#We are using SSSD ‘ad_access_filter’ to control access,
#so need to turn off GSSAPI Auth for those AD users,
#otherwise they get passed in via Kerberos ticket and no
#password-prompt OR 2FA challenge
Match Group ssh_console_users
GSSAPIAuthentication no

/etc/pam.d/sshd: The idea is that with “”, if the user trying to login exists in /etc/passwd, skip 1 line to “” which handles the auth and then falls into “pam_duo” for the 2FA. If the users does NOT exist in /etc/passwd, fall into “” (SSSD) which handles the auth and then skips 1 line into “pam_duo” for the 2FA.

auth required
##Duo 2FA Changes begin
#auth include password-auth
auth required
auth [success=1 default=ignore]
auth [success=1 default=ignore]
auth requisite
auth [success=1 default=ignore] /lib64/security/
auth requisite
auth required
##End Duo Changes
account required
account include password-auth
password include password-auth close should be the first session rule
session required close
session required open should only be followed by sessions to be executed in the user context
session required open env_params
session required
session optional force revoke
session include password-auth

/etc/pam.d/system-auth: basically unchanged from but take note how “” did move positions up. Here is the top excerpt:

#This file is auto-generated.
#User changes will be destroyed the next time authconfig is run.
auth required
auth sufficient
##auth sufficient nullok try_first_pass
auth [success=1 default=ignore] nullok_secure
auth requisite
auth [success=1 default=ignore] /lib64/security/
auth required
##End Duo Changes

auth requisite uid >= 500 quiet
auth sufficient use_first_pass
#auth required