We’ve open-sourced our duo_unix package for easy, drop-in two-factor authentication to any Unix system. Combined with our hosted service, it’s the simplest way to protect logins to your cloud or datacenter hosts with strong, out-of-band authentication. Here’s how:
1. Set up your Duo account
First, create your new Duo account at duosecurity.com – it’s free for up to 10 users or for any open-source project!
In the Duo admin interface, create a new Unix integration for your host:
You’ll need the resulting integration and secret keys for your duo_unix configuration:
2. Set up login_duo on your Unix system
Once installed, edit /etc/duo/login_duo.conf as root to add your integration and secret keys:
Then as a regular user, test login_duo manually. If everything’s set up correctly, you’ll be prompted to enroll (or check your syslog for errors):
Enroll your phone:
The next time you run login_duo, you’ll be prompted to authenticate with your phone:
3. Enable login_duo on your Unix system
To enable Duo login for individual accounts using SSH pubkeys, use the authorized_keys command option. For example, to verify individual admins authorized to log into a shared root account:
* This also works for user-local installations (e.g. $HOME/bin) without root access in shared web hosting environments — just specify the location of login_duo.conf with -c.
Similarly, you can enable Duo login system-wide to follow any SSH login method (password, pubkey, etc.) for any user. Edit your /etc/sshd_config (or /etc/ssh/sshd_config) to add the following line:
And optionally limit Duo login to a subset of users by UID or group in /etc/duo/login_duo.conf:
group = wheel
The duo_unix PAM configuration is similar if you’d like to protect other PAM-enabled daemons or programs (e.g. sudo).
Let us know if you have any questions or comments!