Linux Auth, SSH, PAM

I have a working Duo auth for SSH access to a Linux server, but it isn’t quite working as I would like for my environment.

I am looking for the right options so that:

  • A user SSH’ing in needs to auth with Duo (easy enough), but it should check the local auth first e.g. if I type in my password wrong the OS should tell reject me before I receive a Duo push
  • Duo should be required for sudo, but it should cache the Duo auth - Without Duo if I sudo I am prompted for my password, but then if I sudo again quickly I am not prompted for my password. Same thing should happen with Duo pushes

And, ideally, I would like an option that if a user authenticated to SSH using a keypair instead of a password, that user should not receive a Duo push. This is not a great option security-wise, but the boss is asking if it is an option for one of our applications.

Any suggestions on the right config to make these happen?