duo

SSH with Duo MFA and Active Directory

Daniel Kuchenski

3 min read

Duo has thorough documentation for adding MFA to your SSH sessions, but there are a couple additional steps needed to also integrate with Active Directory. This post will go through the installation for both Duo and Active Directory for Ubuntu 16.04. For other Linux distros, the Duo documentation linked above has you covered.

System components:

  • Ubuntu 16.04 server
  • Duo MFA account
  • Duo Unix package
  • Centify Express for Active Directory integration

Duo Installation:

Install OpenSSL development headers and libraries:

apt-get install libssl-dev libpam-dev -y

Add Duo repository and install duo-unix package:

echo 'deb http://pkg.duosecurity.com/Ubuntu xenial main' | tee /etc/apt/sources.list.d/duosecurity.list
curl -s https://duo.com/APT-GPG-KEY-DUO | apt-key add -
apt-get update
apt-get install duo-unix

Edit /etc/duo/pam_duo.conf with your integration key, secret key, and API host. You can find these values in the Duo Administration page for your "UNIX Application".

[duo]
; Duo integration key
ikey = XXXXXXXXXXXXXXXXXXXXXXX
; Duo secret key
skey = XXXXXXXXXXXXXXXXXXXXXXX
; Duo API host
host = XXXXXXXXXXXXXXXXXXXXXXX
; Send command for Duo Push authentication
;pushinfo = yes

Centrify Installation:

First, edit /etc/ssh/sshd_config so that ChallengeResponseAuthentication is set to "yes"

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication yes

Download, unzip, and install Centrify Express:

wget https://downloads.centrify.com/products/centrify-suite/2017-update-1/centrify-suite-2017.1-deb7-x86_64.tgz
tar -xvzf centrify-suite-2017.1-deb7-x86_64.tgz
./install-express.sh

Go through the installation script to connect to your Active Directory environment:

You can type Q at any prompt to quit the installation and exit
the script without making any changes to your environment.

How do you want to proceed? (E|S|X|C|Q) [X]: X
Do you want to continue to install in Express mode? (C|Y|Q|N) [Y]:Y

Do you want to run adcheck to verify your AD environment? (Q|Y|N) [Y]:Y

Please enter the Active Directory domain to check [company.com]: your-domain.com
Join an Active Directory domain? (Q|Y|N) [Y]:Y
    Enter the Active Directory domain to join [your-domain.com]:
    Enter the Active Directory authorized user [administrator]: your-admin
    Enter the password for the Active Directory user:
    Enter the computer name [server-name]:
    Enter the container DN [Computers]:
    Enter the name of the domain controller [auto detect]:
Reboot the computer after installation? (Q|Y|N) [Y]: Y

After the server restarts, you should be able to login with your Active Directory credentials via SSH, but you are not prompted for Duo MFA. To support this, we need to edit /etc/pam.d/common-auth as follows:

# lines inserted by Centrify Direct Control { CentrifyDC 5.4.1-455 }
#auth   sufficient      pam_centrifydc.so
#auth   requisite       pam_centrifydc.so deny
auth    requisite       pam_centrifydc.so

# here are the per-package modules (the "Primary" block)
#auth   [success=1 default=ignore]      pam_unix.so nullok_secure
auth    requisite       pam_unix.so nullok_secure
auth  [success=1 default=ignore] /lib64/security/pam_duo.so

In both sections, I commented out the existing config and added the necessary lines so that pam_duo is used after a successful pam_centrifydc authentication.

Next, we need to edit /etc/pam.d/sshd and comment out "@include common-auth" so we can add the Centrify and Duo PAM modules (but we don't need pam_unix):

# Standard Un*x authentication.
#@include common-auth
auth    requisite       pam_centrifydc.so
auth    [success=1 default=ignore]      /lib64/security/pam_duo.so
auth    requisite       pam_deny.so
auth    required        pam_permit.so

You should be able to SSH to the server with your Active Directory credentials, and then be prompted for Duo MFA (assuming you have a Duo account that matches your AD username)

Active Directory Group Restriction:

You may also want to restrict SSH access to users in a certain Active Directory group. This can be done with two lines in /etc/ssh/sshd_config at the end of the config, after "UsePAM yes":

UsePAM yes
#########
UseDNS no
AllowGroups root your-group-name

Be sure to add the 'root' group so that you can still manage your server with the root account if needed. Restart SSH and your group restriction will be in effect:

service ssh restart