Search for blog posts, documentation, or pages

We’ve open-sourced our duo_unix package for easy, drop-in two-factor authentication to any Unix system. Combined with our hosted service, it’s the simplest way to protect logins to your cloud or datacenter hosts with strong, out-of-band authentication. Here’s how:

1. Set up your Duo account

First, create your new Duo account at – it’s free for up to 10 users or for any open-source project!

In the Duo admin interface, create a new Unix integration for your host:


You’ll need the resulting integration and secret keys for your duo_unix configuration:


2. Set up login_duo on your Unix system

Next, on your Unix system, download, build and install the duo_unix distribution (or install the appropriate package for your OS: Debian, Ubuntu, etc.):


Once installed, edit /etc/duo/login_duo.conf as root to add your integration and secret keys:


Then as a regular user, test login_duo manually. If everything’s set up correctly, you’ll be prompted to enroll (or check your syslog for errors):


Enroll your phone:


The next time you run login_duo, you’ll be prompted to authenticate with your phone:


3. Enable login_duo on your Unix system

To enable Duo login for individual accounts using SSH pubkeys, use the authorized_keys command option. For example, to verify individual admins authorized to log into a shared root account:


* This also works for user-local installations (e.g. $HOME/bin) without root access in shared web hosting environments — just specify the location of login_duo.conf with -c.

Similarly, you can enable Duo login system-wide to follow any SSH login method (password, pubkey, etc.) for any user. Edit your /etc/sshd_config (or /etc/ssh/sshd_config) to add the following line:

ForceCommand /usr/local/sbin/login_duo

And optionally limit Duo login to a subset of users by UID or group in /etc/duo/login_duo.conf:

group = wheel

The duo_unix PAM configuration is similar if you’d like to protect other PAM-enabled daemons or programs (e.g. sudo).

Let us know if you have any questions or comments!

Dug Song
CEO & Co-Founder

Dug has a history of leading successful products and companies to solve pressing security problems. Dug spent 7 years as founding Chief Security Architect at Arbor Networks, protecting 80% of the world’s Internet service providers, and growing to $120M+ annual revenue before its acquisition by Danaher. Before Arbor, Dug built the first commercial network anomaly detection system (acquired by NFR / Check Point), and managed security in the world’s largest production Kerberos environment (University of Michigan).


Free Guide

Ebook: A Modern Guide to Retail Data Risks

Avoiding Catastrophic Data Breaches in the Retail Industry


phishing (20)  two-factor-authentication (18)  security news (17)  healthcare security (17)  passwords (15)  weekly ink (13)  cloud security (12)  mobile security (11)  federal cybersecurity (10)  malware (10)  infosec-evolution (9)  duo mobile (8)  rsac2015 (8)  retail data breaches (8)  banking security (8)  data breaches (7)  stolen credentials (7)  financial data breach (7)  stolen-passwords (7)  pci dss (6)  ios security (6)  remote access attacks (6)  2fa (6)  encryption (6)  ooba (6)  financial institutions (6)  remote access security (6)  healthit (5)  healthcare cybersecurity (5)  uk security (5)  platform edition (5)  higher education (5)  media security (5)  webinar (5)  atms (5)  transaction-level 2fa (5)  pos malware (5)  retail (4)  2-factor-authentication (4)  security research (4)  third-party security (4)  vulnerability (4)  data breach notification (4)  security threats (4)  financial data security (4)  rig exploit kit (4)  endpoint security (4)  medical identity theft (4)  google (4)  retail data security (4)  healthcare data breach (4)  ios (4)  bank security (4)  defcon-23 (4)  hipaa (4)  blackhat 2015 (4)  law firm security (3)  health it (3)  cisco vpn (3)  duo-security-summit (3)  car security (3)  payment card breach (3)  ffiec (3)  ssl (3)  retail data risks (3)  stock market (3)  aws security (3)  retail ebook (3)  hipaa security rule (3)  windows security (3)  strong-authentication (3)  two-factor (3)  manufacturing security (3)  critical infrastructure security (3)  out of band authentication (3)  flash vulnerabilities (3)  ios vulnerabilities (3)  flash security (3)  otp bypass (3)  dyre trojan (3)  social engineering (3)  byod (3)  twitter (3)  home depot (3)  defense in depth (3)  e-prescriptions (3)  defcon (3)  end-user authentication (3)  target (3)  anthem (3)  ehr (3)  iot security (3)  outlook-web-app (3) 

Duo is hiring!

View our open positions

Subscribe to our Newsletter

Get product updates, interesting content, and invitations to online and live events.