I followed the directions for setting up Duo and pam_duo, but it makes it so only users with SSH keys already set up can log in. I have some users who have SSH keys, but a large number of others who only use a password. How can I set up pam_duo to use SSH keys if they’re present and prompt for a password otherwise?
I experimented and found out a few things. Firstly, there is a knowledge base article here on how to do this (Knowledge Base | Duo Security), but it wasn’t acceptable for my situation. It says to set the ssh config variable “UsePAM” to “no”. I’m running RHEL7 and 8, and their support says that is an unsupported and unstable configuration. It also requires “ForceCommand /usr/sbin/login_duo”. I’ve had problems with sftp and scp when I use the ForceCommand directive.
I tinkered with it a bit and I found a more acceptable solution. I set up Duo logins to use pam_duo and password authentication, which worked, but I found users who had SSH keys already set up were bypassing the Duo prompts.
To fix that, I added a file /etc/ssh/sshrc, which gets called during every ssh login, and included a call to login_duo. If the login_duo prompt fails, the ssh login attempt fails.
These are the settings I used in my sshd_config:
(Do not set AuthenticationMethods.)
The auth section of my /etc/pam.d/sshd file looks like this:
auth substack password-auth
auth required pam_env.so
auth sufficient pam_duo.so
auth include postlogin
And finally, my /etc/ssh/sshrc file looks like this:
/bin/sudo /sbin/login_duo -f $USER || kill -TERM $PPID
This runs the login_duo command and kills the parent process (the ssh login attempt) if it fails. (Double-check the paths to sudo and login_duo on your systems.)
Thank you for sharing your solution here in the community, @dprosser! I’m glad you were able to get it working as you needed.
I thought I should post an update. I discovered this solution had an issue. If a user didn’t have the ssh keys set up, it would give them two prompts from DUO, and after login would tell them there had been a login failure on their account. That made it unworkable for my users.
I was able to modify it so that doesn’t happen. I changed the /etc/ssh/sshrc file to this:
export USER HOME
if [ -e $HOME/.ssh/authorized_keys ] ; then
/usr/bin/sudo /usr/sbin/login_duo -f $USER || kill -TERM $PPID
This only triggers if the user already has an authorized_keys file set up. Any user that doesn’t will get just one password prompt and one DUO prompt.
BTW, if you have ssh key users that don’t have permission to run ‘sudo’ commands, you will need to add them into your /etc/sudoers file:
username ALL=(root) NOPASSWD: /usr/sbin/login_duo
%groupname ALL=(root) NOPASSWD: /usr/sbin/login_duo