Ssh keys, passwords and duo (oh myy)


#1

In our environment we have RHEL’s 5,6 and 7 machines and we would like to implement duo across our Linux servers. We have automated processes that rely on ssh keys to transfer files securely and we have admins that regularly access the servers via ssh keys and passwords. I noticed that in order to authenticate via ssh keys duo requires a the items referenced below.

OpenSSH 6.2+
SSH protocol 2
Duo Unix 1.9.15

My question is if we meet the requirements specified, while using duo_unix ( pam module config preferred ), can we either use ssh keys or passwords to authenticate via duo ( not both but either or ). Or can you only use passwords or keys with DUO. If duo has the ability to implement either ssh keys or passwords with duo is there any documentation to explain how to implement the option of passwords or ssh keys with duo ( duo_unix ) ? Thanks in advance :smiley:


#2

I haven’t tested this lately, but in the past the takeaway was:

pam_duo doesn’t work with this, because you can’t choose Authentication Methods (like pubkey) AND/OR PAM.

Instead, you might try login_duo https://duo.com/docs/loginduo You may be able to add it after PubKey and Password. Also note the security concerns you need to be aware of when using login_duo -

We strongly recommend that you disable PermitTunnel and AllowTcpForwarding in your sshd_config when using login_duo to protect SSH logins. Since OpenSSH sets up port forwarding and tunneling before Duo’s two-factor challenge, an attacker may be able to access internal services via port forwarding before completing secondary authentication. Adding the following lines to your sshd_config will prevent this scenario:

PermitTunnel no
AllowTcpForwarding no

note: this will likely work because you have pubkey enabled only for convenience, not security- since password is still enabled for all users. This makes it so you don’t have any logic sorting if clauses for pass fail on each one, and they just move down sequentially. If you wanted to have certain users get different auth logic, you might try the Match command to send different groups down different auth paths. https://raymii.org/s/tutorials/Limit_access_to_openssh_features_with_the_Match_keyword.html

Cheers


#3

I’m not sure that I got the goal properly, but hope, that yes)
We had similar problem - authentication with several method, when one way was with pam (password auth) and another way goes through ssh itself (gssapi). So we had to little recompile pam_duo and build sshd configuration with varying password auth and keyboard-interactive auth. If its the goal you are trying to archive, I can tell more detaily about it


#4

this may be what I’m actually looking for. I’m considering testing ansible in my environment, but I will also have systems that require authentication for SSSD-connected users. Can I combine the two with your methods?

Thank you