blob: 5c367fa46ac232fd90d2f2d3dc2c63001c46b0f6 [file] [log] [blame]
duo_unix - Duo two-factor authentication for Unix systems
Duo provides simple two-factor authentication as a service.
This package allows an admin (or ordinary user) to quickly add Duo
authentication to any Unix login without setting up secondary user
accounts, directory synchronization, servers, or hardware.
What's here:
Simple C API for the Duo two-factor authentication service.
Login utility to add secondary Duo authentication to any login
(e.g. via sshd ForceCommand or ~/.ssh/authorized_keys command)
to augment password, pubkey, or other primary auth method.
Optional Pluggable Authentication Module for Linux, FreeBSD,
NetBSD, MacOS X, Solaris, AIX, HP-UX to add Duo authentication
system-wide (e.g. sshd, sudo, su, samba, etc.)
Build dependencies (install these first!):
OpenSSL ( development headers and libraries
are installed by default on *BSD and MacOS X.
Solaris, HP-UX, AIX: 3rd party packages or source build
Redhat/Fedora/CentOS: yum install openssl-devel
Debian/Ubuntu: apt-get install libssl-dev
SUSE/SLES: zypper install libopenssl-devel
Only required if building with PAM support (--with-pam below).
System PAM development headers and libraries are installed by
default on FreeBSD, NetBSD, MacOS X, Solaris, HP-UX, and AIX.
RedHat/Fedora/CentOS: yum install pam-devel
Debian/Ubuntu: apt-get install libpam-dev
SUSE/SLES: zypper install pam-devel
When compiling for SLES 11, it is reported that you need the
zlib package during compilation.
SUSE/SLES: zypper install zlib-devel
Options to ./configure:
Specify the OpenSSL directory if not found automatically.
Build PAM module, and optionally override the default install
directory (determined automatically by platform) if necessary.
Specify a different user for login_duo privilege separation -
by default, "sshd" (or "_sshd" on MacOS X).
The default path for local configuration files will be set to /etc/duo
(which can be changed by specifying --sysconfdir=DIR).
NOTE: If you're missing ./configure you accidentally downloaded the
git source tree tarball. Grab the latest tarball instead:
Then just run "make".
"make install" as root should do it.
Then run "ldconfig" as root so that your OS finds and loads the
new shared library.
login_duo will be installed setuid root by default in order to keep
the Duo integration and secret keys in your configuration files
secret. It may also be installed non-setuid manually for a user
installation with individual (vs. system-wide) configuration files.
The pam_duo module will be installed in the system PAM module location
by default (/lib/security, /usr/lib/security, /usr/lib/pam, /usr/lib
depending on platform).
If you don't have a Duo account, sign up at
From your admin account, add a new Unix integration (Integrations >
New integration) and use the integration key (ikey), secret key
(skey), and API hostname in your Duo configuration files (by default
in /etc/duo).
You do not need to create any user accounts manually - new Duo users
will be created as each user logs in and enrolls their own device.
To test your Duo configuration, run login_duo from the command line as
your target user - for the default setuid-root install:
$ login_duo -d echo YOU ROCK
For a non-setuid install:
$ ./login_duo -d -c login_duo.conf echo YOU ROCK
If your Duo integration and secret keys are valid, you will be able to
enroll and authenticate successfully, and congratulate yourself. :-)
The login_duo binary is marked setuid in order to read the protected
login_duo.conf configuration file. However, privileges are dropped
immediately after so the privileged attack surface is minimal.
Proxy Support
Both login_duo and pam_duo (since duo_unix version 1.7) have experimental
support for the standard "http_proxy" environment variable (honored by
wget, curl, etc.).
You can have this set by adding the http_proxy variable to your login_duo.conf
file, in the following format:
Additional duo_unix documentation is available here:
Report any bugs, feature requests, etc. here:
Have fun!