SYNOPSISpam_duo.so [conf= Aq FILENAME ]
DESCRIPTIONprovides secondary authentication (typically after successful password-based authentication) through the Duo authentication service.
OPTIONSPAM module configuration options supported:
- Specify an alternate configuration file to load. Default is /etc/duo/pam_duo.conf
- Debug mode; send log messages to stderr instead of syslog.
CONFIGURATIONThe INI-format configuration file must have a ``duo '' section with the following options:
- Duo API host (required).
- Duo integration key (required).
- Duo secret key (required).
- If specified, Duo authentication is required only for users whose primary group or supplementary group list matches one of the space-separated pattern-lists (see Sx PATTERNS below).
- On service or configuration errors that prevent Duo authentication, fail ``safe '' (allow access) or ``secure '' (deny access). Default is ``safe ''
- Send command to be approved via Duo Push authentication. Default is ``no ''
- Use the specified HTTP proxy, same format as the HTTP_PROXY environment variable.
- Automatically send a login request to the first factor (usually push), instead of prompting the user. Default is "no".
- Set the maxiumum number of prompts pam_duo will show before denying access. Default is 3.
- If unable to detect the authorizing user's IP address, fallback on the server's IP. Default is "no".
An example configuration file:
[duo] host = api-deadbeef.duosecurity.com ikey = SI9F...53RI skey = 4MjR...Q2NmRiM2Q1Y pushinfo = yes autopush = yes
Other authentication restrictions may be implemented using pam_listfile8, pam_access8, etc.
PATTERNSA pattern consists of zero or more non-whitespace characters, `*' (a wildcard that matches zero or more characters), or `?' (a wildcard that matches exactly one character).
A pattern-list is a comma-separated list of patterns. Patterns within pattern-lists may be negated by preceding them with an exclamation mark (`!' ) For example, to specify Duo authentication for all users (except those that are also admins), and for guests:
groups = users,!wheel,!*admin guests
- Default configuration file path
AUTHORSwas written by An Duo Security Aq [email protected]
NOTESWhen used with OpenSSH's sshd(8), only PAM-based authentication can be protected with this module; pubkey authentication bypasses PAM entirely. OpenSSH's PAM integration also does not honor an interactive pam_conv3 conversation, prohibiting real-time Duo status messages (such as during voice callback).