Setup
wget --content-disposition https://dl.duosecurity.com/duo_unix-latest.tar.gz
tar zxf duo_unix-latest.tar.gz
cd duo_unix-2.0.3
./configure --prefix=/usr && make && sudo make install
The login_duo.conf configuration file uses the INI format.
Once duo_unix is installed, edit login_duo.conf (in /etc/duo or /etc/security) to add the integration key, secret key, and API hostname from your Duo Unix application.
You may also add optional Duo configuration options to login_duo.conf. See the table below for all available settings.
[duo]
; Duo integration key
ikey = INTEGRATION_KEY
; Duo secret key
skey = SECRET_KEY
; Duo API hostname
host = API_HOSTNAME
http_proxy=1.1.1.1
; `failmode = safe` In the event of errors with this configuration file or connection to the Duo service
; this mode will allow login without 2FA.
; `failmode = secure` This mode will deny access in the above cases. Misconfigurations with this setting
; enabled may result in you being locked out of your system.
failmode = safe
; Send command for Duo Push authentication
;pushinfo = yes
Test login_duo
As a regular user, test login_duo manually by running
/usr/sbin/login_duo
to enable two-factor authentication for any SSH login method (password, pubkey, etc.) for any user, edit your sshd_config (usually in /etc or /etc/ssh) to add the following line:
Match Group "domain users"
ForceCommand /usr/sbin/login_duo
PermitTunnel no
AllowTcpForwarding no
For more info refer to the Cisco DUO Site