DUO with AD on Ubuntu 20-22

Tags duo linux

Summary

This article discusses how to enable Duo 2FA on Ubuntu.

Caution: Warning: Upgrading Ubuntu from 20.04 to 22.04 can break Duo Unix

Upgrading from 20.04 to 22.04 with do-release-upgrade requires use of the --allow-third-party flag. Without this flag do-release-upgrade disables third-party libraries, including those used by Duo Unix. This could prevent logins after upgrading.

Please see the Duo Knowledge Base article How do I upgrade Ubuntu from version 20.04 to 22.04 with Duo Unix installed? for more information, including recovery steps if you have already performed the upgrade without allowing third-party libraries

Environment

Ubuntu 22.04 and 24.04.

Directions

  1. Request your DUO keys from ITS first, then once you have them, you can get started.
  2. Create /etc/apt/sources.list.d/duosecurity.list: # vim /etc/apt/sources.list.d/duosecurity.list
  3. Add the following contents:
    • For Ubuntu 22.04: deb [arch=amd64] https://pkg.duosecurity.com/Ubuntu jammy main
    • For Ubuntu 24.04: deb [arch=amd64] https://pkg.duosecurity.com/Ubuntu noble main
  4. Execute the following shell commands (the apt-get install command installs both the duo-unix package and the ssh package):
    # curl -s https://duo.com/DUO-GPG-PUBLIC-KEY.asc | sudo gpg --dearmor -o  /etc/apt/trusted.gpg.d/duo.gpg
    # apt-get update && apt-get install duo-unix
  5. Duo Configuration, once duo_unix is installed, edit login_duo.conf and pam_duo.conf (in /etc/duo or /etc/security) to add the integration key, secret key, and API hostname from your Duo Unix application:
    # vim /etc/duo/login_duo.conf /etc/duo/pam_duo.conf

The updated /etc/duo/login_duo.conf should look like the following (key values replaced with XXXXXXX in this document):

[duo]
; Duo integration key
ikey = XXXXXXXX
; Duo secret key
skey = XXXXXXXX
; Duo API host
host = XXXXXXXX
groups = umroot-users
; `failmode = safe` In the event of errors with this configuration file or connection to the Duo service
; this mode will allow login without 2FA.
; `failmode = secure` This mode will deny access in the above cases. Misconfigurations with this setting
; enabled may result in you being locked out of your system.
failmode = safe
; Send command for Duo Push authentication
;pushinfo = yes

The updated /etc/duo/pam_duo.conf should look like the following (key values replaced with XXXXXXX in this document):

[duo]
; Duo integration key
ikey = XXXXXXX
; Duo secret key
skey = XXXXXXX 
; Duo API host
host = XXXXXXXX
groups = umroot-users
; `failmode = safe` In the event of errors with this configuration file or connection to the Duo service
; this mode will allow login without 2FA.
; `failmode = secure` This mode will deny access in the above cases. Misconfigurations with this setting
; enabled may result in you being locked out of your system.
  1. Edit the /etc/ssh/sshd_config file to change ChallengeResponseAuthentication to yes, and UsePAM is yes, and UseDNS is no:     # vim /etc/ssh/sshd_config

# Change to yes to enable challenge-response passwords (beware issues with some PAM modules and threads)
ChallengeResponseAuthentication yes

(This will be present in place of ChallengeResponseAuthentication in Ubuntu 22.04 and above, and should be set to this by default already)
KbdInteractiveAuthentication yes

(Don't need to change this value, as it was set to this already)
UsePAM yes

(Don't need to change this value, as it was set to this already)
#UseDNS no

  1. Edit the /etc/pam.d/sshd file to add the line for pam_duo.so. Note, with Ubuntu, the full path to the pam_duo.so file is needed, unlike in RHEL where just the file name is required.  Underneat: # vim /etc/pam.d/sshd
# PAM configuration for the Secure Shell service

# Standard Un*x authentication.
@include common-auth

#Call the DUO Module
#Reference the /etc/duo/pam_duo.conf file for a list of Included/Excluded users
auth required /usr/lib64/security/pam_duo.so
  1. Once changes are complete (with the sshd_config file especially), restart sshd service to load the changes in the configuration file. In terminal, run: # systemctl restart sshd
  2. Finally, DO NOT EXIT out of this terminal session, but open a new terminal session to test out the DUO configuration with ssh, using your 1 account.  This will allow you to still have an admin session open to troubleshoot if something was misconfigured.
  3. If the DUO 2FA prompt does not show up during the login process, try adding the following as a new line at the end of /etc/ssh/sshd_configForceCommand /usr/sbin/login_duo

Notes

Duo Unix - Two-Factor Authentication for SSH with PAM Support (pam_duo)

Print Article