Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
814
Views
0
Helpful
1
Replies

One User Cannot Log Onto Server Protected by Duo

Stephen Carville
Level 1
Level 1

‎09-16-2022 08:42 AM

One user is having repeated failures when trying to log onto a server protected by Duo. The failures are limited to the one user. No one else seems to be having any problems.

I tried in no particular order:

  1. restarting sshd
  2. disabling selinux.
  3. Resetting user password
  4. Setting user password to empty string
  5. Search Engines…

None of it worked. The one user still cannot log in.

There is nothing unsusual I can see in the account and the user only uses the target as a jump host.

Typical entries from sshd.log:

Sep 16 06:24:34 scajump01 sshd[1321830]: pam_duo(sshd:auth): conversation failed
Sep 16 06:24:34 scajump01 sshd[1321830]: Aborted Duo login for 'kbowser' from 10.222.79.74: Error gathering user response
Sep 16 06:24:34 scajump01 sshd[1321830]: Failed password for kbowser from 10.222.79.74 port 52388 ssh2
Sep 16 06:24:38 scajump01 sshd[1321830]: Connection closed by authenticating user kbowser 10.222.79.74 port 52388 [preauth]

ChallengeResponseAuthentication in sshd_config is set to yes.

/etc/pam.d/sshd

#%PAM-1.0
auth       required  pam_sepermit.so
# auth       substack     password-auth
auth       required   pam_env.so
auth       sufficient pam_duo.so
auth       required   pam_deny.so
auth       include      postlogin
account    required     pam_sepermit.so
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the[duo]

 first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    optional     pam_motd.so
session    include      password-auth
session    include      postlogin

/etc/duo/pam_duo.conf (ikey, skey, and host values are bogus)

; Duo integration key
ikey = ENCRPLKHZIOHWBTVJTUZ

; Duo secret key
■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■

; Duo API host
host = ■■■■■■■■■■■■■■■■■■■■■■■■■■■■

failmode = safe

; Send command for Duo Push authentication
pushinfo = yes
Labels:
0 Helpful
1 Reply 1

TabBerger
Cisco Employee
Cisco Employee

‎09-20-2022 07:47 AM

Hi there @linixhitman , welcome back to the Community! I noticed the entries from the sshd.log included “Error gathering user response”. Have you tried the other steps in the article “Why might I see “Error gathering user response” when using pam_duo?” Let us know if any of those steps are helpful!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents