SSH with Duo Security on Alpine Linux

I wanted to have a secure entry to my home lab, key seemed about right, but why not extra layer with 2FA? Google Authenticator is cool, but push notification is even cooler. I went for Duo Security which allows up to 10 clients without any fee.

I went for Alpine to be my gatekeeper, but I will not be covering distro install here, it’s in docs.

Installation Install all required dependencies:

apk --update add openssh-server-pam build-base automake autoconf libtool git linux-pam-dev openssl-dev wget

Install Duo module:

tar -zxf duo_unix-latest.tar.gz
cd whatever dir it created
./configure --with-pam --prefix=/usr && make && make install

Configuration Below are required and recommended options:

PubkeyAuthentication yes
PasswordAuthentication no
ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactive
UsePAM yes
UseDNS no

If you plan to ssh with root user (I’d recommend you don’t) you need to set PermitRootLogin yes WITHOUT any restrictions. I highly advise you create another user and prohibit root login. Whatever user you use add key to authorized_keys.

Add a line in /etc/pam.d/sshd to enable Duo PAM module (note the path if got different):

auth required /lib64/security/

Now add your application API info to /etc/duo/pam_duo.conf and restart SSHD service. On next logon you should receive enrollment link (if you have never used Duo) and then welcoming screen:

  • Using username “user”.
  • Authenticating with public key “user” from agent
  • Further authentication required
  • Using keyboard-interactive authentication.
  • Duo two-factor login for user
  • Enter a passcode or select one of the following options:
    1. Duo Push to +XX XXX XXX XXX
    2. SMS passcodes to +XX XXX XXX XXX

Passcode or option (1-2)

Let me know if you faced any issues installing Duo on your Linux machine. Stay safe!

This post is licensed under CC BY 4.0 by the author.