SSH and authproxy - too quick at login


#1

I’ve configured the Duo Auth Proxy on a Ubuntu 16.04 box. It is acting as a radius server, verifying against my AD schema. Logins to the console work flawlessly after some general modifications to the pam.d/login file. Where I’m experiencing issues is with ssh.

When logging in with a valid user (specified by the authconfig settings), I do get prompted by Duo, but my response time is less than 5 seconds in many cases. By the time the Duo app prompts me, ssh has already failed login and prompts me to re-enter my password.

  • Is there a way to extend the timeout for ssh/Duo?
  • Should I reconsider using SSSD and pam_duo instead of the proxy?

So far, this is the only thing holding me back from a 100% successful Linux implementation.

Thank you,
Larry


#2

Can’t answer your completely, but we have implemented sssd and pam_duo, and it works fine for SSH. In fact, it will work for local accounts as well as sssd (AD) accounts - we use it for our external database-support NOC, who can ssh in and have Duo call one of 2 NOC phone numbers. Only tricky part there was pam and supporting local (console) login… but we figured our way through that.

Can you turn up the logging on sshd_config (DEBUG) and see what it is doing?