If a person is able to read (but not modify) the /etc/duo/pam_duo.conf file of a Linux server (which they may or may not already be authorised to access via SSH), what can this information be used to achieve?
For example, is it possible for such a person to issue requests to the Duo API directly supplying the integration key and secret key from the pam_duo.conf file? Would this allow the person to determine the next valid OTP? Would this allow the person to lock out an account?
I.e. how sensitive are the keys used in pam_duo.conf and what attack vectors are enabled by knowing them?
Essentially I want to understand the risks when a user has sudo-privileges on a Linux server protected by pam_duo or when a user has access to the configuration and credential management system used to provision a Linux server protected by pam_duo.