Setting up Duo Security with Ubuntu Server for 2FA

In this article I will go through the steps required to install and configure Duo Security with Ubuntu Server for two factor authentication. This can be adapted to apply to SSH log-ons, sudo access, etc. The Linux PAM (pluggable authentication modules) make this easy to implement and customise.

I currently have this implemented on my Ubuntu 14.04 x64 LTS Server and it works really well.

Prerequisites

We need to add the Duo Security repository to your sources, import the GPG key, refresh the apt-get cache then install the duo-unix package.
Note: Replace trusty with precise if you’re running Ubuntu 12.04

Now we need to run through a few pages on the Duo website to get the integration keys.

  1. Log-in to the Duo Security admin page
  2. Click Applications –> Protect an Application
    2016-01-16 12_41_06-Applications - Ertugrul-Mikail Tunc - Duo
  3. Scroll down to Unix Application and click Protect this Application
  4. Make a note of your integration key, secret key and API hostname.

Configuration

First we’ll need to edit the pam_duo.conf file and plug in your integration key, secret key and api hostname.
Note: there are more options available here – for example defining what you want to happen if the Duo Security servers are unavailable (by default it will bypass 2FA but you can force it to deny log-on).

Now we want to edit the PAM common-auth file to require 2FA from the pam_duo.so module.

Your config should look like the below – note that I took out the comments so that it is easier to read.

 

2016-01-16 12_28_08-mtunc@emtlab-ubuntu01_ ~

Set the following variables:

A few more steps for public key authentication

If you’re using public key authentication then set the following variables in sshd_config:

Also you need to make some changes in the pam.d/sshd config

You need to comment out and add the following lines:

It should look like this:

2016-01-16 13_34_50-mtunc@emtlab-ubuntu01_ ~_.ssh

Final thoughts…

By default you will be prompted for 2FA on log-on (obviously). By default you will also be prompted for 2FA when you run sudo – everytime. If you don’t want this to happen then have a look at the /etc/pam.d/ directory.

Here you will find PAM authentication tasks. You will find one for sudo. If you edit that file to look like the below, you will only be prompted for your password and not 2FA.

Again it all depends on your environment and how you want things set-up vs convenience vs security.

2016-01-16 14_54_39-mtunc@emtlab-ubuntu01_ ~