Hello,
I am testing DUO on my personal account and trying to get it setup to just work with SSH. I am running CentOS 7 latest.
I have my /etc/duo/pam_duo.conf setup and here are my pam configs:
[root@radius01 ~]# sudo cat /etc/pam.d/sshd
#%PAM-1.0
auth required pam_sepermit.so
#auth substack password-auth
auth required pam_env.so
auth sufficient pam_duo.so
auth required pam_deny.so
auth include postlogin
# Used with polkit to reauthorize users in remote sessions
-auth optional pam_reauthorize.so prepare
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
# Used with polkit to reauthorize users in remote sessions
-session optional pam_reauthorize.so prepare
[root@radius01 ~]#
[root@radius01 ~]# sudo cat /etc/pam.d/password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth sufficient pam_unix.so nullok try_first_pass
#DUO#
#auth requisite pam_unix.so nullok try_first_pass
#auth [success=1 default=bad] pam_duo.so
#DUO#
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
[root@radius01 ~]#
I am getting the following in my /var/log/secure
Jul 24 09:13:33 radius01 sshd[50303]: Failed password for andrew from 10.150.10.99 port 33814 ssh2
Jul 24 09:14:07 radius01 sshd[50303]: Failed password for andrew from 10.150.10.99 port 33814 ssh2
Jul 24 09:14:09 radius01 sshd[50303]: Connection closed by 10.150.10.99 port 33814 [preauth]
Jul 24 09:17:27 radius01 sshd[50309]: Failed password for andrew from 10.150.10.99 port 33836 ssh2
[root@radius01 ~]#
The password is correct. What am I doing wrong?