Trouble with Ubuntu 20.04 SSH

Having some trouble getting SSH going. I’ve tried on 2 new Ubuntu 20.04 servers to far and have failed on both. I’m installing from packages, duo-unix. I added the repo and the new GPG key. It installs fine. I’ve edited both /etc/duo/login_duo.conf and /etc/duo/pam_duo.conf to have the keys and such. At this point I try to just test it with:

rob@veeamtest:~$ /usr/sbin/login_duo
Couldn’t open /etc/duo/login_duo.conf: Permission denied

Not sure if this is correct or not, but it’s how they are on two different servers after installing:
rob@veeamtest:~$ ls -al /etc/duo/
total 16
drwxr-xr-x 2 root root 4096 Aug 2 17:17 .
drwxr-xr-x 98 root root 4096 Aug 3 06:28 …
-rw------- 1 root root 562 Aug 2 17:17 login_duo.conf
-rw------- 1 root root 561 Aug 2 17:10 pam_duo.conf

I am not sure how to edit /etc/pam.d/sshd properly. I don’t require SSH Public Key Auth. But it’s my understanding the Duo test above should work, if Duo is configured properly, regardless if you have enabled it in sshd or not yet.

Anyway, my goal is to have the user test working with /usr/sbin/login_duo and then to enable Duo for standard password based SSH logins. I’d rather not have it protecting console access as well.

Can anyone help get me going? I have a ticket open with Duo since yesterday morning but no response yet. Thank you.

Ok well I got further. From another thread further down I found
sudo login_duo -f rob 'echo "Hello World"'

and that does work on both servers. So I guess Duo is working.

So then I go to enable enable it for logins by editing /etc/pam.d/common-auth but it doesn’t work. As soon as I follow the guide and comment out like this:
# auth [success=1 default=ignore] nullok_secure
and add the two lines like this:

auth  requisite nullok_secure
auth  [success=1 default=ignore]

It fails.

I’ve even added the full path in the hopes it might work but nope, I get permission denied when attempting to SSH with any account. I try to login, I enter password, then get permission denied.

Here is my entire /etc/pam.d/common-auth file

# /etc/pam.d/common-auth - authentication settings common to all services
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
#Commented out below for Duo per
#auth   [success=1 default=ignore] nullok_secure
#Added below per
auth  requisite nullok_secure
auth  [success=1 default=ignore] /lib64/security/
# here's the fallback if no module succeeds
auth    requisite             
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth    required              
# and here are more per-package modules (the "Additional" block)
auth    optional              
# end of pam-auth-update config

I’ve also tried just leaving /etc/pam.d/common-auth defaults and only and adding at the bottom

auth required /lib64/security/ nullok

As I saw, similar to here: How To Configure Multi-Factor Authentication on Ubuntu 18.04 | DigitalOcean

Still get permission denied though and have to revert back to defaults. Nothing seems to work.

Talked to support. There appears to be a bug in the package. Permissions are not set right. Here’s how to set this up correctly.

Just install it from packages, add the keys, update apt, etc.
Edit your login_duo.conf file to add your keys and such.
If you try to test Duo at this point using login_duo it will fail unless you sudo and specify the user with ‘-f username’. This is actually the symptom of the problem as it should execute without sudo. If you must use sudo to test login_duo, it won’t work once you apply it to SSH loging.

The problem is that login_duo.conf is set to 600 root:root. This should be 600 sshd:root.

cd /etc/duo
sudo chown sshd login_duo.conf
ls -al
-rw-------  1 sshd root  562 Aug  2 17:17 login_duo.conf

Now you can execute login_duo just fine.

Now we need to edit etc/ssh/sshd_config
sudo vi etc/ssh/sshd_config

add the following lines underneath ‘Include /etc/ssh/sshd_config.d/*.conf’

ForceCommand /usr/sbin/login_duo
PermitTunnel no
AllowTcpForwarding no

restart SSH
sudo service ssh restart

or just restart the server. Now you can login over SSH and be prompted for Duo.

1 Like

Thank you for following up to share the solution with the community, @vertices! I’m glad you were able to get this resolved with the Duo Support team.

1 Like