DUO as a second factor authentication

---

Description

In this post I would like to share a solution that can be used as a second  factor authentication. In this moment on the market there are a few solutions that are doing the same thing, but I really think that DUO is one of the best in terms of management and value that can give it to your organization.

Explanation

– For up to 10 users the solution is free, so before deploying it to your organization you can test its functionalities for free.

– Also, if you like it, you can use it to authenticate in your own important systems from home.

– I was using DUO for a few years and works great. The integration level is very good and now I will just explain how to use DUO as second factor authentication for ssh-ing into your Linux servers that are exposed to Internet.

– You can integrate DUO with different applications. SSL VPN on Fortinet devices is another integration for DUO. For this one I spent some time trying to make it to work since there is no good documentation, but in the end I succeeded. It works and  the security layer that is added to the FortiClient SSL VPN deserve any effort.

Implementation

On DUO portal

–  Log in the management console in duo site. https://www.duosecurity.com/ and go to Log In. If don’t have an account yet, please create one first.

– After you are logged in,  go to the Integration section and add a New Integration. From the list choose UNIX Integration and add a name for it: i.e opensshd_integration. For this new integration following parameters will be generated:

Integration key: key used to authenticate to DUO site.
Secret Key: the key used to encrypt traffic between your sshd server and DUO.
API hostname: the hostname of the DUO server that will be asked by your ssh server for a token.

As policy select for the new users – >Deny Access.
Other -> Username normalization choose -> Simple (if not already selected).

– Documentation can be found by accesing following link: https://www.duosecurity.com/docs/duounix

On your ssh server

It is assumed that you are running RHEL/CENTOS distribution. For DEBIAN like systems you have to use theirs specific commands.

Requirements

yum install openssl-devel
yum install pam-devel

Installation

 $ wget https://dl.duosecurity.com/duo_unix-latest.tar.gz
 $ tar zxf duo_unix-latest.tar.gz
 $ cd duo_unix-1.9.13 #or the name of the latest duo_unix version
 $ ./configure --prefix=/usr && make && sudo make install

Configuration parameters

Edit /etc/duo/login_duo.conf and add following sentences to the bottom of the file:

[duo]
 ; Duo integration key. Is not real. Use your own.
 ikey =  BBBBBBBBBBBBBBBB
; Duo secret key – Is not real. Use your own.
 skey = AAAAAAAAAAAAAAAAAAAAAAAAAAA
 ; Duo API host – it’s generated, so you have to use the one that is provided
 host = api-1111100.duosecurity.com; Send command for Duo Push authentication
 ;pushinfo = yes

Test

Use following command for testing it (you have to have a registered user in DUO portal):

$ /usr/sbin/login_duo echo ‘SUCCESS!’

If you have a passcode, you have to provide it after the prompt. If everything works fine then  a SUCCESS answer will follow.

Enable it

To enable two-factor authentication for any SSH login method (password, pubkey, etc.) for any user, edit your /etc/ssh/sshd_8022_config or /etc/ssh/sshd_config file and add in the end of the configuration file:

ForceCommand /usr/sbin/login_duo
PermitTunnel no
AllowTcpForwarding no

For adding an extra layer of security, you can disable root login, by modifying following line in the same configuration file:

Disable root login

#PermitRootLogin yes 
to:
PermitRootLogin no

Don’t forge to restart sshd daemon.

How to use it

In this example sshd daemon was modify to listen  on TCP port 8022. If your ssh daemon is listening on standard ssh port then you don’t have to specify port number on the command line.

ssh -l username IP_ADDRESS -p 8022

Where:

username/password  is your ssh username and password combination which can be locally authentication or integrated with other mechanisms like RADIUS or LDAP.
IP_ADDRESS is your ssh server IP address.
duo - if you have a passcode pre generated or generated by your phone application can be typed in directly, so you don’t have to select any option, just type in the passcode.