DEV Community

Cover image for How to setup two factor authentication using DUO security on SSH
DiegoGo
DiegoGo

Posted on

How to setup two factor authentication using DUO security on SSH

Introduction

Two-factor authentication or two-step authentication is an important security measure that adds a second layer of protection to the password we use. Adding this extra layer of security makes it more difficult to breach user accounts. today, it is very common to find applications that use two-factor authentication.

There are several options for using 2FA:

  • A physical security key: it works like a lock.
  • Through an application: Commonly installed on a smartphone and then, when logging in, we will get a message on the device to verify our identity.
  • Verification code: this option sends a one-time numeric code, by SMS for example, or by call, which must be entered to verify identity.

Requirements

In this tutorial, we will use DUO security. Which with its free version, we will be able to register up to 10 users.

DUO free

Steps

Once the DUO account is created, we will be able to access to the dashboard and it will be shown as follows.

Dashboard

Inside the dashboard we go to "Applications" and select "Protect an Application", as follows.

Protect an Application

We are going to search "UNIX" and after that, we select "Protect".

Protect and Application

After selecting "Protect" we must save the details that are presented to us, the Integration key, Secret key and the API hostname.

UNIX Application

After that, up to the bottom, we click on "Save".

Save button

We make sure that in "Applications" we have the application that we have just saved.

Server name

Adding DUO repos security packages

Inside our server, we add the following repository on our sourcelist editing the file /etc/apt/sources.list

deb https://pkg.duosecurity.com/Debian bullseye main

We add the key

curl -s https://duo.com/DUO-GPG-PUBLIC-KEY.asc | sudo apt-key add -

And proceed to update the repositories and install the duo-unix package

apt-get update && apt-get install duo-unix

Once duo_unix packet is installed, we proceed to edit pam_duo.conf in /etc/duo to add the integration key, secret key, and API hostname from your Duo Unix application.


[duo]
; Duo integration key
ikey = <integration key>
; Duo secret key
skey = <secret key>
; Duo API hostname
host = <api hostname>
pushinfo=yes

Configuring PAM

We are going to use our OpenSSH to use DUO, for that, you are going to set both UsePAM and ChallengeResponseAuthentication to yes in your sshd_config file at /etc/ssh/sshd_config. You should also set UseDNS to no so that PAM Duo is always passed the IP address of the connecting user, rather than the resolved hostname.


UsePAM yes
ChallengeResponseAuthentication yes
UseDNS no

Since we are using a Debian system, the pam_duo.so module should be found in /lib64/security

root@debian11-server:~# ls -lh /lib64/security | grep duo
-rwxr-xr-x 1 root root 921 Feb 2 16:12 pam_duo.la
-rwxr-xr-x 1 root root 437K Feb 2 16:12 pam_duo.so
root@debian11-server:~#

What is PAM?

The pluggable authentication module (PAM) in a nuthshell, is a mechanism to integrate multiple low-level authentication schemes into a high-level application programming interface (API). PAM allows programs that rely on authentication to be written independently of the underlying authentication scheme.
https://www.linux.com/news/understanding-pam/

We proceed to configure the following file:

vim /etc/pam.d/common-auth

Before:


auth [success=1 default=ignore] pam_unix.so nullok
auth requisite pam_deny.so
auth required pam_permit.so

After:


auth [success=2 default=ignore] pam_unix.so nullok
auth sufficient /lib64/security/pam_duo.so
auth requisite pam_deny.so
auth required pam_permit.so

The location of this line and the specified control flag (e.g. "required", "requisite", "sufficient") varies. For most common configurations, place pam_duo directly after pam_unix (frequently found in common-auth or system-auth on Linux), set pam_unix's control flag to "requisite", and set pam_duo's control flag to whatever pam_unix used to be.

SSH Public Key Authentication

Now, we proceed to configure this file
vim /etc/pam.d/sshd

Before:

@include common-auth

After:


auth required pam_unix.so
auth sufficient /lib64/security/pam_duo.so
auth required pam_deny.so

Now, we restart SSH service and login again to the server.

ssh diego@<debian-server IP address>
(diego@<debian-server IP address>) Password:
Please enroll at https://api-ca19920d.duosecurity.com/portal?code=123456789&akey=abcdefghijklm
(diego@<debian-server IP address>) Password:

Enrolling with DUO link

We need to access to the enroll link and follow the steps presented on the browser.

We click "Start setup"

Start setup

We select "Mobile phone" option

Mobile

We proceed to add out phone number.

Phone number

Select our phone brand.

Brand

At this point, we need to have installed the DUO app on our smartphone, DUO app is available for iPhone and Android.

Click continue on the above step and a QR code will be presented on the screen in where you need to open the DUO app to scan it, after that, the following screen will be presented and click on "Finish Enrollment".

Finish enrollment

After the above steps, the process is done. Now, we can proceed to login again to our server, and we will be presented with the following information.

ssh diego@<debian-server IP address>
(diego@<debian-server IP address>) Password:
(diego@<debian-server IP address>) Duo two-factor login for diego
Enter a passcode or select one of the following options:
1 Duo Push to +XX XX XXXX XX95
 2 SMS passcodes to +XX XX XXXX XX95
Passcode or option (1–2):
We hit 1 to receive a push notification on our phone, and after we hit that option and accept it on our phone, we will be able to access to our device.
Passcode or option (1–2): 1
Success. Logging you in…
Success. Logging you in…
Linux debian11-server 5.10.0–11-amd64 #1 SMP Debian 5.10.92–1 (2022–01–18) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Apr 23 22:52:59 2022 from x.x.x.x
diego@debian11-server:~$

And this is the way how we can setup a 2FA using DUO to login into our server via SSH.

Top comments (0)