11-08-2018 08:32 AM
I’ve started to add a couple of linux servers into duo, and looking for some advice.
This server is running CentOS 7, and has a few local user accounts
root - needs duo
user1 - needs duo
user2 - uses ssh key login only, doesn’t need duo
user3 - needs duo
the base install and config works well for the root and user1 and user3 … but doesnt let user2 in the door (as expected) . I thought the answer was to have the
pushinfo = yes
groups = *,!user2
in the config file … that seems to allow user2 to login via ssh with no password prompt at all. which is not good. (other users with this config still get the duo prompt)
I’m assuming this is because the default install comments out the
auth substack password-auth
line in PAM?
Any ideas out there for this?
Thanks!
11-08-2018 08:40 AM
Yeah if you follow our docs directly we have you turn off password and instead use public key authentication.
I’m a little confused by your question though. I thought you said you wanted user2 to have ssh key login only. Do you also want a password?
11-08-2018 09:15 AM
We also have this help article about group membership that could be useful. Although I think it’s possible your groups are set up correctly already.
https://help.duo.com/s/article/2225?language=en_US
01-15-2019 10:52 AM
Does the group membership options in login_duo.conf support LDAP netgroups?
01-16-2019 06:19 AM
Hi Svieth!
This is something we haven’t been able to test yet, however, my hunch is that it will not work.
On the backend of things we are using http://man7.org/linux/man-pages/man3/getgrouplist.3.html to get the groups that a user belongs to. I’m not super familiar with LDAP netgroups, but if the LDAP netgroups do not show up as a result of that function then you won’t be able to use them in the group list in the login_duo.conf
.
11-08-2018 10:16 AM
user2 normally logs in with a key, but has a backup password set, would like to keep password based login as a backup (there is a separate set of IDS/IPS filters that block repeated failed logins)
11-09-2018 10:56 AM
I’ll add that this is also something that someone might want to add to the documentation, since not everyone will realize that if they exclude a user from 2FA (and they have a password set for the user) the default documentation exposes that user account without a password.
11-12-2018 06:55 AM
mrivett,
PAM does provide some flexibility as to when/how to trigger 2FA.
For example, you can configure PAM to require 2FA for BOTH password and key login:
https://help.duo.com/s/article/3745
You can also configure PAM + SSH to fallback to password login if key based authentication fails, however, this requires the use of both pam_duo and login_duo
https://help.duo.com/s/article/2169
The one limitation that exists that does not meet your requirements is allowing fallback to password based auth on an individual user or group of users. I suppose that only users that DO have passwords set would trigger the fallback behavior you are looking for.
Regards,
Ryan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide