Setting up duo_unix with Ubuntu 18.04


#1
I'm wondering if I can get some help installing the Duo PAM module on Ubuntu 18.04. In my case, I'm trying to use pam_duo with SSH public key authentication.

Since there isn't a prebuilt package, I've built this as follows:

sudo apt install build-essential libssl-dev libpam-dev

Using the documentation to build, I now have a compiled module in /lib64/security/pam_duo.so.

I've added the following to /etc/ssh/sshd_config:

PubkeyAuthentication yes
PasswordAuthentication no
ChallengeResponseAuthentication yes
UsePAM yes
UseDNS no
AuthenticationMethods publickey,keyboard-interactive

I've made the following changes to /etc/pam.d/common-auth:

# here are the per-package modules (the "Primary" block)
auth	requisite	pam_unix.so nullok_secure
auth	[success=1 default=ignore]	/lib64/security/pam_duo.so
# here's the fallback if no module succeeds
auth	requisite			pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth	required			pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth	optional	pam_ecryptfs.so unwrap
auth	optional			pam_cap.so
# end of pam-auth-update config

and /etc/pam.d/sshd:

# Standard Un*x authentication.
#@include common-auth

auth    [success=1 default=ignore]      /lib64/security/pam_duo.so
# here's the fallback if no module succeeds
auth    requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth    required                        pam_permit.so

I get the Duo prompt to enroll when using "sudo" from an interactive login. 

However, I cannot get sshd to work properly. Here's what I see:

debug1: Server accepts key: pkalg rsa-sha2-512 blen 279
Enter passphrase for key '<redacted>':
Authenticated with partial success.
debug1: Authentications that can continue: keyboard-interactive
debug1: No more authentication methods to try.
<redacted>: Permission denied (keyboard-interactive).

I am using the following OpenSSH versions:

debug1: Remote protocol version 2.0, remote software version OpenSSH_7.6p1 Ubuntu-4

Any ideas or things I can try?