Re: Pam_duo is set to autopush=yes and only pushes to mobile, no SMS option

arnjukajr · ‎06-16-2023

I’m sure I’m missing something obvious. Here’s the config I’m using:

[duo]
ikey =
skey =
host =
pushinfo = yes
autopush = yes

sshd_config:

UsePAM yes
ChallengeResponseAuthentication yes
UseDNS no

PAM config:

auth requisite pam_unix.so nullok_secure
auth [success=1 default=ignore] /lib64/security/pam_duo.so
auth requisite pam_deny.so
auth required pam_permit.so

When I ssh and enter my password it just sits there and pushes to my mobile. If I accept the login it logs me in successfully.

I need it to not autopush to my mobile. I’m using a Yubikey so I need it to give me the 3 options like this:

Enter a passcode or select one of the following options:

Duo Push to XXX-XXX-1111
SMS passcodes to XXX-XXX-1111

Passcode or option (1-2): xxxxxxxxxxxxxxxxxxxxxxxxxx

Because it’s autopush-ing to my mobile, I don’t have the option to use the Yubikey.

If I disable autopush, I get the following in auth.log:

Jun 17 01:30:25-observium1 sshd[1332685]: starting Duo Unix: PAM Duo
Jun 17 01:30:25-observium1 sshd[1332685]: pam_duo(sshd:auth): conversation failed
Jun 17 01:30:25-observium1 sshd[1332685]: Aborted Duo login for ‘username’ from 1.1.1.1: Error gathering user response
Jun 17 01:30:27-observium1 sshd[1332685]: Failed password for username from 1.1.1.1 port 55770 ssh2

However, I know the password is correct. As soon as I set it back to autopush, it works.

This is running Ubuntu 22.04 with the latest updates.

Any help is much appreciated.

DuoKristina · ‎06-20-2023

If you have Duo Unix configured for PAM + public key authentication but leave passwords in the in the AuthenticationMethods line of sshd_config and disable autopush then password failure is a common outcome. SSH password authentication doesn’t allow other PAM modules to read input after the initial password, which is why Duo Unix’s PAM module is failing there.

If you want to use passwords for login instead of or in addition to public key authentication, with Duo Unix able to read inputs from the login process (like your Yubikey OTP), take a look at these articles:

How do I enable pam_duo to use both passwords and public key authentication?
How do I enable pam_duo to use passwords instead of public key authentication?

Duo, not DUO.

arnjukajr · ‎06-20-2023

I’ve already looked at that. I’m not using pub key authentication. I’m using password authentication.

I even created a brand new Ubuntu 22.04 VM, did the exact same config and the same thing happened. It only auto-pushes to my mobile. I never get the option to select SMS or phone call auth.

DuoKristina · ‎06-20-2023

Right, that is what I’m saying. The PAM config example you posted (what is in the main duounix doc page for Ubuntu) is not compatible with password authentication. Those two KB articles have exampleDIFFERENT PAM/sshd configs that let someone use password auth. in particular take a look at the “How do I enable pam_duo to use passwords instead of public key authentication?” article and the config file examples for Ubuntu in it.

Duo, not DUO.

arnjukajr · ‎06-20-2023

I just tried that as well. I matched all the settings from that article. Same result though.

[duo]
ikey =
skey =
host =
pushinfo = yes
autopush = yes
prompts = 1

sshd_config:

PubkeyAuthentication no
PasswordAuthentication yes
UsePAM yes
ChallengeResponseAuthentication yes
UseDNS no
#AuthenticationMethods keyboard-interactive
Kb■■■■■■■■■■■■■■■■■■■■cation yes

I had to set sshd_config like this otherwise it failed to start.

Jun 20 00:59:48 ubuntu-duo-test sshd[15985]: Disabled method “keyboard-interactive” in AuthenticationMethods list “keyboard-interactive”
Jun 20 00:59:48 ubuntu-duo-test sshd[15985]: AuthenticationMethods cannot be satisfied by enabled authentication methods
Jun 20 00:59:48 ubuntu-duo-test systemd[1]: ssh.service: Control process exited, code=exited, status=255/EXCEPTION

/etc/pam.d/sshd:

auth required pam_env.so
auth requisite pam_unix.so
auth [success=1 default=ignore] /lib64/security/pam_duo.so
auth requisite pam_deny.so
auth required pam_permit.so

/etc/pam.d/common-auth:

auth [success=1 default=ignore] pam_unix.so nullok_secure
auth requisite pam_unix.so
auth [success=1 default=ignore] /lib64/security/pam_duo.so
auth required pam_deny.so
auth required pam_permit.so

Is there some bug or weird interaction with Ubuntu 22.04 and Duo? Do I need to build from source to get the latest version of Duo maybe? Instead of using apt to install?

DuoKristina · ‎06-20-2023

If you included PasswordAuthentication yes then you didn’t match the settings in that article.

Did you also try it with PasswordAuthentication no?

Duo, not DUO.

arnjukajr · ‎06-20-2023

I tried it both ways. If PasswordAuthentication is no, my login just fails. If it’s yes, it at least works and pushes to my mobile to accept.

I know the password is correct because I’m copy/pasting it.

Do you actually have this working with pam_duo on Ubuntu 22.04?