Duo 2FA for SSH to Ubuntu Server

Photo by Pixabay on Pexels.com

In this demonstration, we will configure Duo two-factor authentication for Ubuntu servers.

Lab Set-up

  • Ubuntu Server 18.04.4 (Bionic)
  • Duo account

Add Local User Accounts

  • If you have multiple user accounts that require access to the servers, create these users before adding Duo. These users will also need to be added to Duo too.
sudo adduser <name>

<Follow the instructions when shown>

Configure Duo

  • Access Duo and select Applications > Protect an Application and search ‘UNIX Application‘ and click ‘Protect
  • (Optional) Create any relevant policies for the new application
  • Make a note of the following information as it will be required later:
    • Integration key
    • Secret key (Do not share)
    • API hostname

Install Ubuntu Linux Packages

  • Access the CLI of the Ubuntu system and enter the following commands. These will be used to install the Duo linux package.
nano /etc/apt/sources.list.d/duosecurity.list
deb [arch=amd64] https://pkg.duosecurity.com/Ubuntu bionic main
  • Save and exit the editor
  • On the CLI, execute the following commands
curl -s https://duo.com/DUO-GPG-PUBLIC-KEY.asc | sudo apt-key add -
apt-get update && apt-get install duo-unix
  • The Duo Unix package is now installed.

Configure the pam_duo.conf File

To configure the pam_duo.conf file enter the following commands.

nano /etc/duo/pam_duo.conf

[duo]
; Duo integration key
ikey = <Enter your integration key>
; Duo secret key
skey = <Enter your secret key>
; Duo API host
host = <Enter your API host>
failmode = safe

; Send command for Duo Push authentication
pushinfo = yes
autopush = yes

  • Save and exit the editor

For more information on Duo configuration file options click here.

Configure Public Key Authentication for Ubuntu Server in SSHD and Configure PAM

Enter the following commands.

Note: If you don’t want to configure public key authentication then ignore the last three commands.

nano /etc/ssh/sshd_config


ChallengeResponseAuthentication yes
UsePAM yes
UseDNS no

PasswordAuthentication no
PubkeyAuthentication yes
AuthenticationMethods publickey,keyboard-interactive
  • Exit the editor and restart the sshd service by issuing the following command.
sudo systemctl restart sshd

Navigate to the pam.d common-auth and ensure that the following 4 auth fields are configured. Comment out anything else that is not already commented out.

In the configuration below, I have commented out with an #, the fields that were not required for this build.

nano /etc/pam.d/common-auth

# auth  [success=1 default=ignore] pam_unix.so nullok_secure
# auth  optional                        pam_cap.so

auth    requisite                       pam_unix.so nullok_secure
auth    [success=1 default=ignore]      /lib64/security/pam_duo.so
auth    requisite                       pam_deny.so
auth    required                        pam_permit.so


  • Save and exit the editor.

If using public-key authentication add the following commands.

Note: If you are not using public-key authentication but configure the following parameters you may experience strange behaviour when unenrolled users attempt to log in.

nano /etc/pam.d/sshd

auth  [success=1 default=ignore] /lib64/security/pam_duo.so
auth  requisite pam_deny.so
auth  required pam_permit.so

Testing

Duo should now be successfully configured for 2FA. Without closing the currently open terminal proceed with the following tests.

  • Create a new SSH session to your Ubuntu server
  • Enter the username of the user. This user can be fully enrolled or partially enrolled into Duo
  • Users that are fully enrolled will be automatically prompted to complete 2FA. However, users that are not yet fully enrolled into Duo will be prompted to enrol as shown in the screenshot below

Additional Information

If you experience multiple interactive keyboard sessions when trying to access the server and you aren’t using PKI with unenrolled users then you may have to check that you haven’t configured the public-key configurations.

Links

https://duo.com/docs/duounix

https://www.digitalocean.com/community/tutorials/how-to-set-up-ssh-keys-on-ubuntu-1804

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: