Virtually…

SSH with Duo Security on Alpine Linux

Published: (Updated: ) in Lab, Servers by .

Need 2FA for your SSH logon? This is how.

I wanted to have a secure entry to my home lab, key seemed about right, but why not extra layer with 2FA? Google Authenticator is cool, but push notification is even cooler. I went for Duo Security which allows up to 10 clients without any fee.
I went for Alpine to be my gatekeeper, but I will not be covering distro install here, it’s in docs.

Installation

Install all required dependencies:
apk --update add openssh-server-pam build-base automake autoconf libtool git linux-pam-dev openssl-dev wget

Install Duo module:
wget https://dl.duosecurity.com/duo_unix-latest.tar.gz
tar -zxf duo_unix-latest.tar.gz
cd whatever dir it created
./configure --with-pam --prefix=/usr && make && make install

Configuration

Below are required and recommended options:

PubkeyAuthentication yes
PasswordAuthentication no
ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactive
UsePAM yes
UseDNS no

If you plan to ssh with root user (I’d recommend you don’t) you need to set PermitRootLogin yes WITHOUT any restrictions. I highly advise you create another user and prohibit root login. Whatever user you use add key to authorized_keys.

Add a line in /etc/pam.d/sshd to enable Duo PAM module (note the path if got different):

auth required /lib64/security/pam_duo.so

Now add your application API info to /etc/duo/pam_duo.conf and restart SSHD service. On next logon you should receive enrollment link (if you have never used Duo) and then welcoming screen:

Using username “user”.
Authenticating with public key “user” from agent
Further authentication required
Using keyboard-interactive authentication.
Duo two-factor login for user
Enter a passcode or select one of the following options:

  1. Duo Push to +XX XXX XXX XXX
  2. SMS passcodes to +XX XXX XXX XXX
    Passcode or option (1-2):

Let me know if you faced any issues installing Duo on your Linux machine.
Stay safe!

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *