LDAP/DUO client side settings


#1

We are currently using DUO cloud integrated into our PAM auth for 2 factor authentication. This works great.

It has come down from above that now we want to do LDAP authentication for our linux servers. Basically just SSH. This works fine using sssd/LDAPS pointed directly to our DCs. However now we want to integrate DUO into the mix as well for 2 factor.

I have configured ldap on our current DUO auth proxy box.

[cloud]
ikey=removed
skey=removed
api_host=removed

[ad_client]
host=10.10.10.5
host_2=10.10.10.6
service_account_username=binduser
service_account_password=removed
search_dn=DC=removed,DC=com
security_group_dn=CN=DUO,OU=SECURITY,DC=removed,DC=com

[ldap_server_auto]
client=ad_client
ikey=removed  
skey=removed
api_host=removed  
failmode=safe  
ssl_key_path=duo.key 
ssl_cert_path=duo.crt

When I do a capture I can now see the DUO auth proxy mitm the LDAPS request and correctly pull back the user from id or getent.

I’m a little confused on the client side portion however. Normally we would enter in our ikey/skey into the /etc/duo/pam_duo.conf or login_duo.conf. Which ever one we happen to be using for that specific box. Am I to put the same ikey/skey that the DUO auth proxy has in its LDAP section on the client pam_duo.conf/login_duo.conf?


#2

Hey Mcgoosh,

You should generate a new set of keys for this application by creating a new LDAP application in your Duo admin panel. Those values you can use in your [ldap_server_auto]. If you choose to keep this setup, you may also need to look at some ldap params found here( https://duo.com/support/documentation/authproxy_reference).

Additionally, you might want to look at using Duo Unix for this use case. Since it is just SSH, login_duo may be a very easy way to do this without impacting other services using LDAP. (Not sure if the other LDAP services on the Unix host go through the PAM stack or if they are configured separately.) There is also a Duo PAM module.

In terms of general best practice and ease of integration I have to say I would recommend Duo Unix (either PAM_duo or login_duo).

https://duo.com/docs/duounix

Cheers


#3

Yes we are using a new set of keys generated from the admin panel.

The caveat is we want to be able to use our domain creds when we SSH into a box. Hence the LDAP request, but also still use DUO for dual authentication.

The pam/login duo works well and is what we currently use. But now the requirement is to use LDAP + DUO. I will keep digging. Thanks for the recommendations.


#4

What makes sense now would be to uninstall pam_duo and only use LDAP auth. If you left pam_duo in place on your system users would authenticate to Duo twice: once when the LDAP request hits the Duo Authentication Proxy, and then again via pam_duo as a secondary factor to the LDAP auth.

So:

  1. Uninstall pam_duo
  2. Configure the Duo Authentication Proxy for ldap_server_auto
  3. Point your linux clients to the Duo proxy for LDAP.

If you need to protect BOTH LDAP and local logins you can leave pam_duo installed, with its original integration key for the Duo Unix application, and limit pam_duo auth to only local users via setting groups= to include a group of local Unix users in pam_duo.conf (see here for more config options).