SSH with Duo Security on Alpine Linux

I wanted to have a secure entry to my home lab, key seemed about right, but why not extra layer with 2FA? Google Authenticator is cool, but push notification is even cooler. I went for Duo Security which allows up to 10 clients without any fee.
I went for Alpine to be my gatekeeper, but I will not be covering distro install here, it’s in docs.

Installation

Install all required dependencies:
apk --update add openssh-server-pam build-base automake autoconf libtool git linux-pam-dev openssl-dev wget

Install Duo module:
wget https://dl.duosecurity.com/duo_unix-latest.tar.gz
tar -zxf duo_unix-latest.tar.gz
cd whatever dir it created
./configure --with-pam --prefix=/usr && make && make install

Configuration

Below are required and recommended options:

PubkeyAuthentication yes
PasswordAuthentication no
ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactive
UsePAM yes
UseDNS no

If you plan to ssh with root user (I’d recommend you don’t) you need to set PermitRootLogin yes WITHOUT any restrictions. I highly advise you create another user and prohibit root login. Whatever user you use add key to authorized_keys.

Add a line in /etc/pam.d/sshd to enable Duo PAM module (note the path if got different):

auth required /lib64/security/pam_duo.so

Now add your application API info to /etc/duo/pam_duo.conf and restart SSHD service. On next logon you should receive enrollment link (if you have never used Duo) and then welcoming screen:

Using username “user”.
Authenticating with public key “user” from agent
Further authentication required
Using keyboard-interactive authentication.
Duo two-factor login for user
Enter a passcode or select one of the following options:

  1. Duo Push to +XX XXX XXX XXX
  2. SMS passcodes to +XX XXX XXX XXX
    Passcode or option (1-2):

Let me know if you faced any issues installing Duo on your Linux machine.
Stay safe!

Subscribe to Virtually…

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
[email protected]
Subscribe