Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1608
Views
2
Helpful
4
Replies

Excluding users/groups in login_duo

Go to solution
sreekand
Level 1
Level 1

‎08-13-2021 02:37 AM

Hi,

If I am using global policy, the exceptions with “groups” parameter still work for login_duo ?
It is currently working for me. But is it really a feature or a loophole ? For me these two things seems to be contradictory.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Amy2
Level 5
Level 5
In response to sreekand

‎08-19-2021 06:08 AM

Ah, thank you for clearing that up! I did misunderstand your initial question. Yes this is intentional. This is explained in our documentation for Duo Unix - Two Factor Authentication for SSH (login_duo) under Enable Login Duo in the Installation instructions, and there are more details in the Duo Configuration Options under groups as well. I hope that helps!

P.S. I edited your post to remove the screenshot, because it contained your Secret key which should never be shared publicly, even with Duo. Please be careful when sharing screenshots in the community to remove any info that should not be shared.

View solution in original post

4 Replies 4

Go to solution
Amy2
Level 5
Level 5

‎08-18-2021 06:32 AM

Hi @sreekand, great question! The order in which Duo policies are enforced can be a bit confusing. Group policies take precedence and override both application and global policies. A good rule of thumb to keep in mind is that the most specific policy will apply for a given scenario.

Please take a look at the explanation in this help article on how Duo policies are enforced for more details!

0 Helpful

Go to solution
sreekand
Level 1
Level 1

‎08-18-2021 08:53 PM

Hi @Amy,

Thanks a lot for the clarification. But I believe still there is a confusion, the one I mentioned is not group policies. But about the OS groups that we mention in our /etc/duo/login_duo.conf file. I have noticed if I use groups parameter, only those users (belong to the group) will be enforced with two factor authentication. All other users will be bypassed from 2FA. Please see the screenshot below.

0 Helpful

Go to solution
Amy2
Level 5
Level 5
In response to sreekand

‎08-19-2021 06:08 AM

Ah, thank you for clearing that up! I did misunderstand your initial question. Yes this is intentional. This is explained in our documentation for Duo Unix - Two Factor Authentication for SSH (login_duo) under Enable Login Duo in the Installation instructions, and there are more details in the Duo Configuration Options under groups as well. I hope that helps!

P.S. I edited your post to remove the screenshot, because it contained your Secret key which should never be shared publicly, even with Duo. Please be careful when sharing screenshots in the community to remove any info that should not be shared.

Go to solution
sreekand
Level 1
Level 1
In response to Amy2

‎08-19-2021 06:28 AM

@Amy , Thank you very much. Already referred the documentation, but wanted to check and confirm with someone who has more expertise.

And thank you for reminding me about the keys…I overlooked the key information.

Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents