Pam_duo (duo unix) Subsequent SSH Sessions

Hello,

I’ve recently successfully installed and configured Duo Unix using pam_duo on RHEL7 with pubkey authentication method.

My department would like the ability to bypass 2FA for subsequent SSH logins by the same user. So far I’ve only been able to find the “session awareness” feature through the ‘Duo Network Gateway’. Are there other solutions like custom scripts or custom PAM stacks that can accomplish this? I’m not sure we can utilize the network gateway feature just yet, as my department is not the duo admin for the campus.

Thanks,
Brian

Hey Brian!
We don’t have any Duo specific features that would enable something like this just within the Duo Unix module. We’ve had a couple requests in the past, but unfortunately nothing like that is on our roadmap or will be soon.
The only thing I can offer you is the usage of of the ControlMaster, ControlPath, and ControlPersist inside of each of the end users .ssh/config files. This SSH feature allows you to reuse an already authenticated session for the length of time specified by your ControlPersist.
Using this feature you won’t have to re-authenticate as frequently. It has some tradeoffs that the network gatework is much better handled for such as sessions across machines, better management of that session length, checking device health on access, etc.
So while I’d encourage you to still check out the Duo Network Gateway I’d also suggest taking a look at ControlMaster and seeing if it can provide for your needs in the meantime.
Let me know if you have any follow up questions,
Xander

1 Like

Brian,

Another option if your users have performed MFA to access the server you could also almost treat it as a jump host where you whitelist the IP address of the server. This will allow you to SSH into other servers internally and not be challenged again for MFA.

Take a look at our authorized networks policy.

Best,

Jeff

1 Like