What are the risks of leaking the pam_duo.conf contents?


#1

If a person is able to read (but not modify) the /etc/duo/pam_duo.conf file of a Linux server (which they may or may not already be authorised to access via SSH), what can this information be used to achieve?

For example, is it possible for such a person to issue requests to the Duo API directly supplying the integration key and secret key from the pam_duo.conf file? Would this allow the person to determine the next valid OTP? Would this allow the person to lock out an account?

I.e. how sensitive are the keys used in pam_duo.conf and what attack vectors are enabled by knowing them?

Essentially I want to understand the risks when a user has sudo-privileges on a Linux server protected by pam_duo or when a user has access to the configuration and credential management system used to provision a Linux server protected by pam_duo.


#2

We advise customers to guard their application secret keys as they would a password. We have some guidance around protecting the pam_duo configuration file here.

Beyond reading the Duo config file, the sudoer could decide to disable Duo altogether. The sudoer might change someone’s primary password. When you’re granting sudo access to privileged users you just have to trust them not to act against the org, which would include not using the Duo information for other purposes.

If you’d like a more detailed discussion about this, please do not hesitate to contact Duo support.