Skip to content Skip to site navigation Skip to service navigation

Two-Step Authentication for SSH on Linux Servers

These instructions explain how to install Duo on a stock system. The Information Security Office (ISO) encourages you to share advanced configurations with the Stanford Linux users community.

Installation instructions

  1. Before you install Duo, create a verified recoverable backup of the server (strongly recommended).
  2. Obtain your API keys (integration key and secret key) and Duo API hostname, which you need to integrate with the Stanford University Duo installation. You can either generate the keys and hostname yourself or submit a request for them.
    • To generate the keys and hostname yourself:

      • Authenticate yourself via Kerberos (i.e., kinit) if you have not already done so.
      • Install wallet if you have not already done so. For instructions, see Keytabs and Wallet.
      • Run the following command, where "yourcomputer.stanford.edu" is replaced with the fully-qualified domain name of the node:
        wallet get duo-pam yourcomputer.stanford.edu
        [duo]
        ikey = aq1sw2de3fr4gt5hy6ju7ki8lo9
        skey = 1qaz2wsx3edc4rfv5tgb6yhn7ujm8ik
        host = api-123456789.duosecurity.com
        
    • To request the API keys and Duo API hostname, submit a Help ticket and provide the hostname(s) of the systems to secure with Duo. You will receive a response with the keys and URL needed to complete the installation.
  3. Install the prerequisite software, OpenSSL and libpam (relevant installation instructions for Linux systems are excerpted below from the Duo website at duo.com/docs/duounix):
    • For Ubuntu and Debian:
      apt-get install libssl-dev libpam-dev
    • For Red Hat and CentOS:
      yum install openssl-devel pam-devel
      
  4. Download Duo for Unix (this requires an Internet connection):
    wget https://dl.duosecurity.com/duo_unix-latest.tar.gz
    tar zxf duo_unix-latest.tar.gz
    
  5. Install Duo with PAM from inside the Duo folder:
    cd duo_unix-*
    ./configure --with-pam --prefix=/usr && make && sudo make install
    
  6. Edit your /etc/ssh/sshd_config file to include the following lines:
    ChallengeResponseAuthentication yes
    PasswordAuthentication yes
    UsePAM yes
    
  7. Edit your PAM configuration to match the recommendations for your distribution. You can find per-distribution PAM settings at duo.com/docs/duounix.

    This is an example of how your /etc/pam.d/common-auth file could look:

    auth    [success=2 default=die]    pam_krb5.so minimum_uid=1000
    auth    [success=2 default=die]    pam_unix.so nullok_secure try_first_pass
    
    auth    requisite            pam_deny.so
    
    auth    required            pam_duo.so
    auth    required            pam_permit.so
    
    auth    optional            pam_afs_session.so
    
    Note: This example is intended for systems authenticating with Kerberos. The last line is used to auth against afs. If you are not running afs, the last line is probably not needed.
  8. Edit API host and keys /etc/duo/pam_duo.conf (or /etc/security/pam_duo.conf, depending on your distro) and insert the values from step 2.
    Example:
    [duo]
    ; Duo API host
    host = api-123456789.duosecurity.com
    ; Duo integration key
    ikey = aq1sw2de3fr4gt5hy6ju7ki8lo9
    ; Duo secret key
    skey = 1qaz2wsx3edc4rfv5tgb6yhn7ujm8ik
    
  9. Restart SSH.
  10. Ensure that you can SSH in from a new session, to avoid getting locked out.
  11. If you can SSH to the system and are prompted to use Duo, installation is complete.

For more information or assistance, please submit a Help ticket.

Last modified June 7, 2017