These instructions explain how to install Duo on a stock system. The Information Security Office (ISO) encourages you to share advanced configurations with the Stanford Linux users community.
Installation instructions
- Before you install Duo, create a verified recoverable backup of the server (strongly recommended).
- Obtain your API keys (integration key and secret key) and Duo API hostname, which you need to integrate with the Stanford University Duo installation. You can either generate the keys and hostname yourself or submit a request for them.
-
To generate the keys and hostname yourself:
- Authenticate yourself via Kerberos (i.e., kinit) if you have not already done so.
- Install wallet if you have not already done so. For instructions, see Keytabs and Wallet.
- Run the following command, where "yourcomputer.stanford.edu" is replaced with the fully-qualified domain name of the node:
wallet get duo-pam yourcomputer.stanford.edu [duo] ikey = aq1sw2de3fr4gt5hy6ju7ki8lo9 skey = 1qaz2wsx3edc4rfv5tgb6yhn7ujm8ik host = api-123456789.duosecurity.com
- If you cannot generate the keys and hostname yourself, request the API keys and Duo API hostname by submitting a Help request and provide the hostname(s) of the systems to secure with Duo. You will receive a response with the keys and URL needed to complete the installation.
-
- Install the prerequisite software, OpenSSL and libpam (relevant installation instructions for Linux systems are excerpted below from the Duo website at duo.com/docs/duounix):
- For Ubuntu and Debian:
apt-get install libssl-dev libpam-dev
- For Red Hat and CentOS:
yum install openssl-devel pam-devel
- For Ubuntu and Debian:
- Download Duo for Unix (this requires an Internet connection):
wget https://dl.duosecurity.com/duo_unix-latest.tar.gz tar zxf duo_unix-latest.tar.gz
- Install Duo with PAM from inside the Duo folder:
cd duo_unix-* ./configure --with-pam --prefix=/usr && make && sudo make install
- Edit your /etc/ssh/sshd_config file to include the following lines:
ChallengeResponseAuthentication yes PasswordAuthentication yes UsePAM yes
- Edit your PAM configuration to match the recommendations for your distribution. You can find per-distribution PAM settings at duo.com/docs/duounix.
This is an example of how your /etc/pam.d/common-auth file could look:
auth [success=2 default=die] pam_krb5.so minimum_uid=1000 auth [success=2 default=die] pam_unix.so nullok_secure try_first_pass auth requisite pam_deny.so auth required pam_duo.so auth required pam_permit.so auth optional pam_afs_session.so
Note: This example is intended for systems authenticating with Kerberos. The last line is used to auth against afs. If you are not running afs, the last line is probably not needed. - Edit API host and keys /etc/duo/pam_duo.conf (or /etc/security/pam_duo.conf, depending on your distro) and insert the values from step 2.
Example:[duo] ; Duo API host host = api-123456789.duosecurity.com ; Duo integration key ikey = aq1sw2de3fr4gt5hy6ju7ki8lo9 ; Duo secret key skey = 1qaz2wsx3edc4rfv5tgb6yhn7ujm8ik
- Restart SSH.
- Ensure that you can SSH in from a new session, to avoid getting locked out.
- If you can SSH to the system and are prompted to use Duo, installation is complete.
For more information or assistance, please submit a Help request.