{"id":2046,"date":"2016-01-16T17:23:28","date_gmt":"2016-01-16T17:23:28","guid":{"rendered":"http:\/\/emtunc.org\/blog\/?p=2046"},"modified":"2017-02-24T15:09:20","modified_gmt":"2017-02-24T15:09:20","slug":"setting-duo-security-ubuntu-server-2fa","status":"publish","type":"post","link":"https:\/\/emtunc.org\/blog\/01\/2016\/setting-duo-security-ubuntu-server-2fa\/","title":{"rendered":"Setting up Duo Security with Ubuntu Server for 2FA"},"content":{"rendered":"

In this article I will go through the steps required to install and configure Duo Security with Ubuntu Server for two factor authentication. This can be adapted to apply to SSH log-ons, sudo access, etc. The Linux PAM (pluggable authentication modules) make this easy to implement and customise.<\/p>\n

I currently have this implemented on my Ubuntu 14.04 x64 LTS Server and it works really well.<\/p>\n

<\/p>\n

Prerequisites<\/h3>\n

We need to add the Duo Security repository to your sources, import the GPG key, refresh the apt-get cache then install the duo-unix package.
\nNote: Replace\u00a0trusty<\/em> with\u00a0precise<\/em> if you’re running Ubuntu 12.04<\/p>\n

echo 'deb http:\/\/pkg.duosecurity.com\/Ubuntu trusty main' | sudo tee \/etc\/apt\/sources.list.d\/duosecurity.list\r\ncurl -s https:\/\/duo.com\/APT-GPG-KEY-DUO | sudo apt-key add -\r\nsudo apt-get update\r\nsudo apt-get install duo-unix<\/pre>\n
Now we need to run through a few pages on the Duo website to get the integration keys.<\/p>\n
    \n
  1. Log-in to the Duo Security admin page<\/a><\/li>\n
  2. Click Applications –> Protect an Application
    \n    \"2016-01-16
    \n<\/a><\/li>\n
  3. Scroll down to\u00a0Unix Application<\/strong> and click\u00a0Protect this Application<\/strong><\/li>\n
  4. Make a note of your integration key, secret key and API hostname.<\/li>\n<\/ol>\n
    Configuration<\/h3>\n
    First we’ll need to\u00a0edit the pam_duo.conf file and plug in your integration\u00a0key, secret key and api hostname.
    \nNote: there are more options available     here<\/a>\u00a0– for example defining what you want to happen if the Duo Security servers are unavailable (by default it will bypass 2FA but you can force it to deny log-on).<\/p>\n
    sudo nano \/etc\/duo\/pam_duo.conf<\/pre>\n
    Now we want to edit the PAM common-auth file to\u00a0require 2FA from the pam_duo.so module.<\/p>\n
    sudo nano \/etc\/pam.d\/common-auth<\/pre>\n
    Your config should look like the below – note that I took out the comments so that it is easier to read.<\/p>\n
    auth requisite pam_unix.so nullok_secure\r\nauth [success=1 default=ignore] \/lib64\/security\/pam_duo.so\r\nauth requisite pam_deny.so\r\nauth required pam_permit.so\r\nauth optional pam_cap.so<\/pre>\n
     <\/p>\n
    \"2016-01-16<\/a><\/p>\n
    sudo nano \/etc\/ssh\/sshd_config\r\n\r\n<\/pre>\n
    Set the following variables:<\/p>\n
    ChallengeResponseAuthentication yes\r\nUsePAM yes\r\nUseDNS no<\/pre>\n
    A few more steps for public key authentication<\/h3>\n
    If you’re using public key authentication then set the following variables in sshd_config:<\/p>\n
    PubkeyAuthentication yes\r\nPasswordAuthentication no\r\nAuthenticationMethods publickey,keyboard-interactive<\/pre>\n
    Also you need to make some changes in the pam.d\/sshd config<\/p>\n
    sudo nano \/etc\/pam.d\/sshd\r\n<\/pre>\n
    You need to comment out and add the following lines:<\/p>\n
    #@include common-auth\r\nauth [success=1 default=ignore] \/lib64\/security\/pam_duo.so\r\nauth requisite pam_deny.so\r\nauth required pam_permit.so\r\nauth optional pam_cap.so<\/pre>\n
    It should look like this:<\/p>\n
    \"2016-01-16<\/a><\/p>\n
    Final thoughts…<\/h3>\n
    By default you will be prompted for 2FA on log-on (obviously). By default you will also be prompted for 2FA when you run sudo – everytime. If you don’t want this to happen then have a look at the\u00a0\/etc\/pam.d\/<\/strong> directory.<\/p>\n
    Here you will find\u00a0PAM\u00a0authentication tasks<\/em>. You will find one for sudo. If you edit that file to look like the below, you will only be prompted for your password\u00a0and not 2FA.<\/p>\n
    Again it all depends on your environment and how you want things set-up vs convenience vs security.<\/p>\n
    \"2016-01-16<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
    In this article I will go through the steps required to install and configure Duo Security with Ubuntu Server for two factor authentication. This can be adapted to apply to SSH log-ons, sudo access, etc. The Linux PAM (pluggable authentication modules) make this easy to implement and customise. I currently have this implemented on my […]<\/p>\n","protected":false},"author":32,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"footnotes":""},"categories":[1],"tags":[118,127,214],"class_list":["post-2046","post","type-post","status-publish","format-standard","hentry","category-tech","tag-2fa","tag-duosecurity","tag-ubuntu"],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p1trTO-x0","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/posts\/2046","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/users\/32"}],"replies":[{"embeddable":true,"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/comments?post=2046"}],"version-history":[{"count":22,"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/posts\/2046\/revisions"}],"predecessor-version":[{"id":2474,"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/posts\/2046\/revisions\/2474"}],"wp:attachment":[{"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/media?parent=2046"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/categories?post=2046"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/tags?post=2046"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}