DUO with AD on Ubuntu 22-24

Tags duo linux

Summary

This article discusses how to enable Duo 2FA on Ubuntu.

Caution: Upgrading Ubuntu from 20.04 to 22.04 can break Duo Unix.

Upgrading from 20.04 to 22.04 with do-release-upgrade requires use of the --allow-third-party flag. Without this flag do-release-upgrade disables third-party libraries, including those used by Duo Unix. This could prevent logging in after upgrading.

Please see the Duo Knowledge Base article How do I upgrade Ubuntu from version 20.04 to 22.04 with Duo Unix installed? for more information, including recovery steps if you have already performed the upgrade without allowing third-party libraries

Environment

Ubuntu 22.04 and 24.04.

Directions

  1. Request your DUO keys from ITS first, then once you have them, you can get started.
     
  2. Get the GPG key: curl -s https://duo.com/DUO-GPG-PUBLIC-KEY.asc | sudo gpg --dearmor -o  /etc/apt/keyrings/duo.gpg
     
  3. Fix the permissions: sudo chmod 644 /etc/apt/keys/duo.gpg
     
  4. Populate /etc/apt/sources.list.d/duo.sources:
Types: deb
URIs: https://pkg.duosecurity.com/Ubuntu
Suites: suite_name
Components: main
Signed-By: /etc/apt/keyrings/duo.gpg

The Suites: field should be jammy for 22 or noble for 24.

  1. Install the relevant packages: sudo apt-get update && sudo apt-get install duo-unix
     
  2. Duo Configuration, once duo_unix is installed, edit login_duo.conf and pam_duo.conf (in /etc/duo or /etc/security) to add the integration key, secret key, and API hostname from your Duo Unix application:
    sudo vim /etc/duo/login_duo.conf /etc/duo/pam_duo.conf

The updated /etc/duo/login_duo.conf should look like the following (key values replaced with XXXXXXX in this document):

[duo]
; Duo integration key
ikey = XXXXXXXX
; Duo secret key
skey = XXXXXXXX
; Duo API host
host = XXXXXXXX
groups = umroot-users
; `failmode = safe` In the event of errors with this configuration file or connection to the Duo service
; this mode will allow login without 2FA.
; `failmode = secure` This mode will deny access in the above cases. Misconfigurations with this setting
; enabled may result in you being locked out of your system.
failmode = safe
; Send command for Duo Push authentication
;pushinfo = yes

The updated /etc/duo/pam_duo.conf should look like the following (key values replaced with XXXXXXX in this document):

[duo]
; Duo integration key
ikey = XXXXXXX
; Duo secret key
skey = XXXXXXX 
; Duo API host
host = XXXXXXXX
groups = umroot-users
; `failmode = safe` In the event of errors with this configuration file or connection to the Duo service
; this mode will allow login without 2FA.
; `failmode = secure` This mode will deny access in the above cases. Misconfigurations with this setting
; enabled may result in you being locked out of your system.
  1. Edit the /etc/ssh/sshd_config file to change ChallengeResponseAuthentication to yes, and UsePAM is yes, and UseDNS is no: sudo vim /etc/ssh/sshd_config

# Change to yes to enable challenge-response passwords (beware issues with some PAM modules and threads)
ChallengeResponseAuthentication yes

(This will be present in place of ChallengeResponseAuthentication in Ubuntu 22.04 and above, and should be set to this by default already)
KbdInteractiveAuthentication yes

(Don't need to change this value, as it was set to this already)
UsePAM yes

(Don't need to change this value, as it was set to this already)
#UseDNS no

  1. Edit the /etc/pam.d/sshd file to add the line for pam_duo.so. Note, with Ubuntu, the full path to the pam_duo.so file is needed, unlike in RHEL where just the file name is required.  Underneat: sudo vim /etc/pam.d/sshd
# PAM configuration for the Secure Shell service

# Standard Un*x authentication.
@include common-auth

#Call the DUO Module
#Reference the /etc/duo/pam_duo.conf file for a list of Included/Excluded users
auth required /usr/lib64/security/pam_duo.so
  1. Once changes are complete (with the sshd_config file especially), restart sshd service to load the changes in the configuration file. In terminal, run: sudo systemctl restart sshd
     
  2. Finally, DO NOT EXIT out of this terminal session, but open a new terminal session to test out the DUO configuration with ssh, using your 1 account.  This will allow you to still have an admin session open to troubleshoot if something was misconfigured.
     
  3. If the DUO 2FA prompt does not show up during the login process, try adding the following as a new line at the end of /etc/ssh/sshd_configForceCommand /usr/sbin/login_duo

Notes

See the "Duo Unix - Two-Factor Authentication for SSH with PAM Support (pam_duo)" article for more information.

Print Article