Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2503
Views
0
Helpful
0
Replies

Linux configuration

andrewm659
Level 1
Level 1

‎07-24-2019 07:42 AM

Hello,
I am testing DUO on my personal account and trying to get it setup to just work with SSH. I am running CentOS 7 latest.

I have my /etc/duo/pam_duo.conf setup and here are my pam configs:

[root@radius01 ~]# sudo cat /etc/pam.d/sshd 
#%PAM-1.0
auth       required     pam_sepermit.so
#auth       substack     password-auth
auth       required     pam_env.so
auth sufficient pam_duo.so 
auth required pam_deny.so
auth       include      postlogin
# Used with polkit to reauthorize users in remote sessions
-auth      optional     pam_reauthorize.so prepare
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    include      postlogin
# Used with polkit to reauthorize users in remote sessions
-session   optional     pam_reauthorize.so prepare
[root@radius01 ~]#

[root@radius01 ~]# sudo cat /etc/pam.d/password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        required      pam_faildelay.so delay=2000000
auth        sufficient    pam_unix.so nullok try_first_pass
#DUO#
#auth        requisite    pam_unix.so nullok try_first_pass
#auth        [success=1 default=bad] pam_duo.so
#DUO#
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok


password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
[root@radius01 ~]#

I am getting the following in my /var/log/secure

Jul 24 09:13:33 radius01 sshd[50303]: Failed password for andrew from 10.150.10.99 port 33814 ssh2
Jul 24 09:14:07 radius01 sshd[50303]: Failed password for andrew from 10.150.10.99 port 33814 ssh2
Jul 24 09:14:09 radius01 sshd[50303]: Connection closed by 10.150.10.99 port 33814 [preauth]
Jul 24 09:17:27 radius01 sshd[50309]: Failed password for andrew from 10.150.10.99 port 33836 ssh2
[root@radius01 ~]#

The password is correct. What am I doing wrong?

Labels:
0 Helpful
0 Replies 0
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents