Summary
This article discusses how to enable Duo 2FA on Ubuntu.
Environment
Duo on Ubuntu
Directions
- Request your DUO keys from ITS first, then once you have them, you can get started.
- Create /etc/apt/sources.list.d/duosecurity.list:
vim /etc/apt/sources.list.d/duosecurity.list
- Add the following contents:
- For Ubuntu 20.04:
deb [arch=amd64] https://pkg.duosecurity.com/Ubuntu focal main
- For Ubuntu 22.04:
deb [arch=amd64] https://pkg.duosecurity.com/Ubuntu jammy main
- Execute the following shell commands (the apt-get install command installs both the duo-unix package and the ssh package):
curl -s https://duo.com/DUO-GPG-PUBLIC-KEY.asc | sudo apt-key add -
apt-get update && apt-get install duo-unix
- Duo Configuration, once duo_unix is installed, edit login_duo.conf and pam_duo.conf (in /etc/duo or /etc/security) to add the integration key, secret key, and API hostname from your Duo Unix application:
vim /etc/duo/login_duo.conf /etc/duo/pam_duo.conf
The updated /etc/duo/login_duo.conf should look like the following (key values replaced with XXXXXXX in this document):
[duo]
; Duo integration key
ikey = XXXXXXXX
; Duo secret key
skey = XXXXXXXX
; Duo API host
host = XXXXXXXX
groups = umroot-users
; `failmode = safe` In the event of errors with this configuration file or connection to the Duo service
; this mode will allow login without 2FA.
; `failmode = secure` This mode will deny access in the above cases. Misconfigurations with this setting
; enabled may result in you being locked out of your system.
failmode = safe
; Send command for Duo Push authentication
;pushinfo = yes
The updated /etc/duo/pam_duo.conf should look like the following (key values replaced with XXXXXXX in this document):
[duo]
; Duo integration key
ikey = XXXXXXX
; Duo secret key
skey = XXXXXXX
; Duo API host
host = XXXXXXXX
groups = umroot-users
; `failmode = safe` In the event of errors with this configuration file or connection to the Duo service
; this mode will allow login without 2FA.
; `failmode = secure` This mode will deny access in the above cases. Misconfigurations with this setting
; enabled may result in you being locked out of your system.
- Edit the /etc/ssh/sshd_config file to change ChallengeResponseAuthentication to yes, and UsePAM is yes, and UseDNS is no:
vim /etc/ssh/sshd_config
# Change to yes to enable challenge-response passwords (beware issues with some PAM modules and threads)
ChallengeResponseAuthentication yes
(sometimes will be uncommented by default)
#KbdInteractiveAuthentication no
(didn't need to change this value, as it was set to this already)
UsePAM yes
(didn't need to change this value, as it was set to this already)
#UseDNS no
- Edit the /etc/pam.d/sshd file to add the line for pam_duo.so. Note, with Ubuntu the full path to the pam_duo.so file is needed, unlike in RHEL where just the file name is required:
vim /etc/pam.d/sshd
# PAM configuration for the Secure Shell service
# Standard Un*x authentication.
@include common-auth
auth required /usr/lib64/security/pam_duo.so
- Once changes are complete (with the sshd_config file especially), restart ssh to load the changes to the configuration file. In terminal, run:
systemctl restart sshd
- if there the duo 2fa prompt does not show up during logins, try adding the following as a new ling at the end of /etc/ssh/sshd_config:
ForceCommand /usr/sbin/login_duo
- Then DO NOT EXIT out of this terminal session, but open a new session to test out ssh with your 1 account with DUO.