You are currently viewing Duo 2FA for SSH to Ubuntu Server
Photo by Pixabay on

Duo 2FA for SSH to Ubuntu Server

In this demonstration, we will configure Duo two-factor authentication for Ubuntu servers.

Lab Set-up

  • Ubuntu Server 18.04.4 (Bionic)
  • Duo account

Add Local User Accounts

  • If you have multiple user accounts that require access to the servers, create these users before adding Duo. These users will also need to be added to Duo too.
sudo adduser <name>

<Follow the instructions when shown>

Configure Duo

  • Access Duo and select Applications > Protect an Application and search ‘UNIX Application‘ and click ‘Protect
  • (Optional) Create any relevant policies for the new application
  • Make a note of the following information as it will be required later:
    • Integration key
    • Secret key (Do not share)
    • API hostname

Install Ubuntu Linux Packages

  • Access the CLI of the Ubuntu system and enter the following commands. These will be used to install the Duo linux package.
nano /etc/apt/sources.list.d/duosecurity.list
deb [arch=amd64] bionic main
  • Save and exit the editor
  • On the CLI, execute the following commands
curl -s | sudo apt-key add -
apt-get update && apt-get install duo-unix
  • The Duo Unix package is now installed.

Configure the pam_duo.conf File

To configure the pam_duo.conf file enter the following commands.

nano /etc/duo/pam_duo.conf

; Duo integration key
ikey = <Enter your integration key>
; Duo secret key
skey = <Enter your secret key>
; Duo API host
host = <Enter your API host>
failmode = safe

; Send command for Duo Push authentication
pushinfo = yes
autopush = yes

  • Save and exit the editor

For more information on Duo configuration file options click here.

Configure Public Key Authentication for Ubuntu Server in SSHD and Configure PAM

Enter the following commands.

Note: If you don’t want to configure public key authentication then ignore the last three commands.

nano /etc/ssh/sshd_config

ChallengeResponseAuthentication yes
UsePAM yes
UseDNS no

PasswordAuthentication no
PubkeyAuthentication yes
AuthenticationMethods publickey,keyboard-interactive
  • Exit the editor and restart the sshd service by issuing the following command.
sudo systemctl restart sshd

Navigate to the pam.d common-auth and ensure that the following 4 auth fields are configured. Comment out anything else that is not already commented out.

In the configuration below, I have commented out with an #, the fields that were not required for this build.

nano /etc/pam.d/common-auth

# auth  [success=1 default=ignore] nullok_secure
# auth  optional              

auth    requisite              nullok_secure
auth    [success=1 default=ignore]      /lib64/security/
auth    requisite             
auth    required              

  • Save and exit the editor.

If using public-key authentication add the following commands.

Note: If you are not using public-key authentication but configure the following parameters you may experience strange behaviour when unenrolled users attempt to log in.

nano /etc/pam.d/sshd

auth  [success=1 default=ignore] /lib64/security/
auth  requisite
auth  required


Duo should now be successfully configured for 2FA. Without closing the currently open terminal proceed with the following tests.

  • Create a new SSH session to your Ubuntu server
  • Enter the username of the user. This user can be fully enrolled or partially enrolled into Duo
  • Users that are fully enrolled will be automatically prompted to complete 2FA. However, users that are not yet fully enrolled into Duo will be prompted to enrol as shown in the screenshot below

Additional Information

If you experience multiple interactive keyboard sessions when trying to access the server and you aren’t using PKI with unenrolled users then you may have to check that you haven’t configured the public-key configurations.



Kelvin is a Cyber Security professional with years and experience working with organisations in different verticals, both large and small. He enjoys contributing to the Network Wizkid knowledge base and he also creates technical content. Kelvin enjoys learning new things and often does this by working on achieving new technical certifications. He holds many professional certifications and academically, he has achieved a Bachelors and Master's degree in both Computer Networks and Cyber Security.

Leave a Reply