One User Cannot Log Onto Server Protected by Duo

One user is having repeated failures when trying to log onto a server protected by Duo. The failures are limited to the one user. No one else seems to be having any problems.

I tried in no particular order:

  1. restarting sshd
  2. disabling selinux.
  3. Resetting user password
  4. Setting user password to empty string
  5. Search Engines…

None of it worked. The one user still cannot log in.

There is nothing unsusual I can see in the account and the user only uses the target as a jump host.

Typical entries from sshd.log:

Sep 16 06:24:34 scajump01 sshd[1321830]: pam_duo(sshd:auth): conversation failed
Sep 16 06:24:34 scajump01 sshd[1321830]: Aborted Duo login for 'kbowser' from 10.222.79.74: Error gathering user response
Sep 16 06:24:34 scajump01 sshd[1321830]: Failed password for kbowser from 10.222.79.74 port 52388 ssh2
Sep 16 06:24:38 scajump01 sshd[1321830]: Connection closed by authenticating user kbowser 10.222.79.74 port 52388 [preauth]

ChallengeResponseAuthentication in sshd_config is set to yes.

/etc/pam.d/sshd

#%PAM-1.0
auth       required  pam_sepermit.so
# auth       substack     password-auth
auth       required   pam_env.so
auth       sufficient pam_duo.so
auth       required   pam_deny.so
auth       include      postlogin
account    required     pam_sepermit.so
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the[duo]
 first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    optional     pam_motd.so
session    include      password-auth
session    include      postlogin

/etc/duo/pam_duo.conf (ikey, skey, and host values are bogus)

; Duo integration key
ikey = ENCRPLKHZIOHWBTVJTUZ

; Duo secret key
■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■

; Duo API host
host = ■■■■■■■■■■■■■■■■■■■■■■■■■■■■

failmode = safe

; Send command for Duo Push authentication
pushinfo = yes

Hi there @linixhitman , welcome back to the Community! I noticed the entries from the sshd.log included “Error gathering user response”. Have you tried the other steps in the article “Why might I see “Error gathering user response” when using pam_duo?” Let us know if any of those steps are helpful!