Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1954
Views
2
Helpful
2
Replies

Pam_duo (duo unix) Subsequent SSH Sessions

Go to solution
heckyeahcool
Level 1
Level 1

‎03-23-2020 07:57 AM

Hello,

I’ve recently successfully installed and configured Duo Unix using pam_duo on RHEL7 with pubkey authentication method.

My department would like the ability to bypass 2FA for subsequent SSH logins by the same user. So far I’ve only been able to find the “session awareness” feature through the ‘Duo Network Gateway’. Are there other solutions like custom scripts or custom PAM stacks that can accomplish this? I’m not sure we can utilize the network gateway feature just yet, as my department is not the duo admin for the campus.

Thanks,
Brian

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Xander_Desai
Level 1
Level 1

‎03-25-2020 08:28 AM

Hey Brian!
We don’t have any Duo specific features that would enable something like this just within the Duo Unix module. We’ve had a couple requests in the past, but unfortunately nothing like that is on our roadmap or will be soon.
The only thing I can offer you is the usage of of the ControlMaster, ControlPath, and ControlPersist inside of each of the end users .ssh/config files. This SSH feature allows you to reuse an already authenticated session for the length of time specified by your ControlPersist.
Using this feature you won’t have to re-authenticate as frequently. It has some tradeoffs that the network gatework is much better handled for such as sessions across machines, better management of that session length, checking device health on access, etc.
So while I’d encourage you to still check out the Duo Network Gateway I’d also suggest taking a look at ControlMaster and seeing if it can provide for your needs in the meantime.
Let me know if you have any follow up questions,
Xander

View solution in original post

2 Replies 2

Go to solution
Xander_Desai
Level 1
Level 1

‎03-25-2020 08:28 AM

Hey Brian!
We don’t have any Duo specific features that would enable something like this just within the Duo Unix module. We’ve had a couple requests in the past, but unfortunately nothing like that is on our roadmap or will be soon.
The only thing I can offer you is the usage of of the ControlMaster, ControlPath, and ControlPersist inside of each of the end users .ssh/config files. This SSH feature allows you to reuse an already authenticated session for the length of time specified by your ControlPersist.
Using this feature you won’t have to re-authenticate as frequently. It has some tradeoffs that the network gatework is much better handled for such as sessions across machines, better management of that session length, checking device health on access, etc.
So while I’d encourage you to still check out the Duo Network Gateway I’d also suggest taking a look at ControlMaster and seeing if it can provide for your needs in the meantime.
Let me know if you have any follow up questions,
Xander

Go to solution
jeffsmith1
Level 1
Level 1

‎03-26-2020 06:21 AM

Brian,

Another option if your users have performed MFA to access the server you could also almost treat it as a jump host where you whitelist the IP address of the server. This will allow you to SSH into other servers internally and not be challenged again for MFA.

Take a look at our authorized networks policy.

Best,

Jeff

Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents