flug_m/duo_unix

Project ID: 41827

Description

Duo unix module

Duo provides code to integrate multi factor into login as a PAM module. This package provides an automated build for the package, and doesn't modify the code in between.

Link to project: duo_unix
Support documentation: support
Spec file: spec

Reason for this project

The source maintainers do not provide an RPM spec file, nor do they provide a source package that is compatible with a Fedora installation (they work with RHEL 8 though). I have adapted another user's spec file to create a working build of the latest release on fedora. Other repositories/builds reference older versions of code that were not preferable for my environment.

Installation Instructions

Install from repository

  1. Enable the repository: dnf copr enable flug_m/duo_unix
  2. Install the package: dnf install duo_unix

Configuration

  1. Edit the file /etc/duo/pam_duo.conf with the appropriate settings from your DUO administration. During initial testing, I recommend that you leave failsafe=safe until you have worked out all the bugs.

  2. in /etc/ssh/sshd_config Make the following changes (and restart sshd): ChallengeResponseAuthentication yes

  3. Finally, we need change the PAM substack for the sshd service to work with duo. See Notes section for caveat to this approach.

    a. in the /etc/pam.d/ folder, copy password-auth to password-with-duo-auth

    b. Find and modify the following line:
    auth sufficient pam_unix.so .... #old line
    auth [default=1 ignore=ignore success=ok] pam_unix.so ... #new line - preserve all options on the line

    c. Immediately after that line add this line, and save the changes:
    auth sufficient pam_duo.so

    d. in the file /etc/pam.d/sshd change the first line from auth substack password-auth to auth substack password-with-duo-auth

  4. Test your changes before you give up the root access.

Additional Notes

  • I've only provided instructions for modifying SSH logins. You could follow similar procedures to modify console logins, but I do not provide the instructions for that in this project.
  • Please note that SSH keys do not utilize the PAM auth stack, and thus, SSH keys will not utilize duo 2FA. You could create a more complex login scenario by instructing sshd to require multiple login methods, but that again is beyond the scope of my instructions.
  • I have technically shortcutted the authselect sssd profile. If you decide to pull in additional features in authselect (such as mkhomedir), you'll find that feature not working for ssh logins to your system. While you could simply redo step 3 and 4 above to pull in the new authselect features, perhaps the proper way is to clone the sssd profile, write in duo feature properly to the profile, and instruct authselect to use that profile. However, this approach would apply the duo PAM module to other services, such as cockpit, which may be undesirable.

Active Releases

The following unofficial repositories are provided as-is by owner of this project. Contact the owner directly for bugs or issues (IE: not bugzilla).

Release Architectures Repo Download
Fedora 37 x86_64 (830)* Fedora 37 (0 downloads)
Fedora 38 x86_64 (437)* Fedora 38 (10 downloads)
Fedora 39 x86_64 (197)* Fedora 39 (7 downloads)
Fedora 40 x86_64 (0)* Fedora 40 (0 downloads)
Fedora rawhide x86_64 (811)* Fedora rawhide (32 downloads)

* Total number of packages downloaded in the last seven days.