Announcing Duo's two-factor authentication for Unix

We’ve open-sourced our duo_unix package for easy, drop-in two-factor authentication to any Unix system. Combined with our hosted service, it’s the simplest way to protect logins to your cloud or datacenter hosts with strong, out-of-band authentication. Here’s how:

1. Set up your Duo account

First, create your new Duo account at duosecurity.com – it’s free for up to 10 users or for any open-source project!

In the Duo admin interface, create a new Unix integration for your host:

newintegration.png

You’ll need the resulting integration and secret keys for your duo_unix configuration:

integration.png

2. Set up login_duo on your Unix system

Next, on your Unix system, download, build and install the duo_unix distribution (or install the appropriate package for your OS: Debian, Ubuntu, etc.):

build.png

Once installed, edit /etc/duo/login_duo.conf as root to add your integration and secret keys:

conf.png

Then as a regular user, test login_duo manually. If everything’s set up correctly, you’ll be prompted to enroll (or check your syslog for errors):

enroll.png

Enroll your phone:

enroll.png

The next time you run login_duo, you’ll be prompted to authenticate with your phone:

authprompt.png

3. Enable login_duo on your Unix system

To enable Duo login for individual accounts using SSH pubkeys, use the authorized_keys command option. For example, to verify individual admins authorized to log into a shared root account:

root_duo.png

* This also works for user-local installations (e.g. $HOME/bin) without root access in shared web hosting environments — just specify the location of login_duo.conf with -c.

Similarly, you can enable Duo login system-wide to follow any SSH login method (password, pubkey, etc.) for any user. Edit your /etc/sshd_config (or /etc/ssh/sshd_config) to add the following line:

ForceCommand /usr/local/sbin/login_duo

And optionally limit Duo login to a subset of users by UID or group in /etc/duo/login_duo.conf:

group = wheel

The duo_unix PAM configuration is similar if you’d like to protect other PAM-enabled daemons or programs (e.g. sudo).

Let us know if you have any questions or comments!