DUO with AD on Ubuntu 20-22

Summary

duo setup for LSA AD joined linux hosts

Body

Summary

This article discusses how to enable Duo 2FA on Ubuntu.

Environment

Duo on Ubuntu

Directions

  1. Request your DUO keys from ITS first, then once you have them, you can get started.
  2. Create /etc/apt/sources.list.d/duosecurity.list: vim /etc/apt/sources.list.d/duosecurity.list
  3. Add the following contents:
    • For Ubuntu 20.04: deb [arch=amd64] https://pkg.duosecurity.com/Ubuntu focal main
    • For Ubuntu 22.04: deb [arch=amd64] https://pkg.duosecurity.com/Ubuntu jammy main
  4. Execute the following shell commands (the apt-get install command installs both the duo-unix package and the ssh package):
    curl -s https://duo.com/DUO-GPG-PUBLIC-KEY.asc | sudo apt-key add -
    apt-get update && apt-get install duo-unix
  5. Duo Configuration, once duo_unix is installed, edit login_duo.conf and pam_duo.conf (in /etc/duo or /etc/security) to add the integration key, secret key, and API hostname from your Duo Unix application:
    vim /etc/duo/login_duo.conf /etc/duo/pam_duo.conf

The updated /etc/duo/login_duo.conf should look like the following (key values replaced with XXXXXXX in this document):

[duo]
; Duo integration key
ikey = XXXXXXXX
; Duo secret key
skey = XXXXXXXX
; Duo API host
host = XXXXXXXX
groups = umroot-users
; `failmode = safe` In the event of errors with this configuration file or connection to the Duo service
; this mode will allow login without 2FA.
; `failmode = secure` This mode will deny access in the above cases. Misconfigurations with this setting
; enabled may result in you being locked out of your system.
failmode = safe
; Send command for Duo Push authentication
;pushinfo = yes

The updated /etc/duo/pam_duo.conf should look like the following (key values replaced with XXXXXXX in this document):

[duo]
; Duo integration key
ikey = XXXXXXX
; Duo secret key
skey = XXXXXXX 
; Duo API host
host = XXXXXXXX
groups = umroot-users
; `failmode = safe` In the event of errors with this configuration file or connection to the Duo service
; this mode will allow login without 2FA.
; `failmode = secure` This mode will deny access in the above cases. Misconfigurations with this setting
; enabled may result in you being locked out of your system.
  1. Edit the /etc/ssh/sshd_config file to change ChallengeResponseAuthentication to yes, and UsePAM is yes, and UseDNS is no: vim /etc/ssh/sshd_config

# Change to yes to enable challenge-response passwords (beware issues with some PAM modules and threads)
ChallengeResponseAuthentication yes

(sometimes will be uncommented by default)
#KbdInteractiveAuthentication no

(didn't need to change this value, as it was set to this already)
UsePAM yes

(didn't need to change this value, as it was set to this already)
#UseDNS no

  1. Edit the /etc/pam.d/sshd file to add the line for pam_duo.so. Note, with Ubuntu the full path to the pam_duo.so file is needed, unlike in RHEL where just the file name is required: vim /etc/pam.d/sshd
# PAM configuration for the Secure Shell service
# Standard Un*x authentication.
@include common-auth
auth required /usr/lib64/security/pam_duo.so
  1. Once changes are complete (with the sshd_config file especially), restart ssh to load the changes to the configuration file. In terminal, run: systemctl restart sshd
  2. if there the duo 2fa prompt does not show up during logins, try adding the following as a new ling at the end of /etc/ssh/sshd_config: ForceCommand /usr/sbin/login_duo
  3. Then DO NOT EXIT out of this terminal session, but open a new session to test out ssh with your 1 account with DUO.

Details

Details

Article ID: 9914
Created
Thu 3/23/23 2:55 PM
Modified
Wed 4/10/24 8:21 AM