I wanted to have a secure entry to my home lab, key seemed about right, but why not extra layer with 2FA? Google Authenticator is cool, but push notification is even cooler. I went for Duo Security which allows up to 10 clients without any fee.
I went for Alpine to be my gatekeeper, but I will not be covering distro install here, it’s in docs.
Installation Install all required dependencies:
1 apk --update add openssh-server-pam build-base automake autoconf libtool git linux-pam-dev openssl-dev wget
Install Duo module:
1 2 3 4 wget https://dl.duosecurity.com/duo_unix-latest.tar.gz tar -zxf duo_unix-latest.tar.gz cd whatever dir it created ./configure --with-pam --prefix=/usr && make && make install
Configuration Below are required and recommended options:
1 2 3 4 5 6 PubkeyAuthentication yes PasswordAuthentication no ChallengeResponseAuthentication yes AuthenticationMethods publickey,keyboard-interactive UsePAM yes UseDNS no
If you plan to ssh with root user (I’d recommend you don’t) you need to set PermitRootLogin yes WITHOUT any restrictions. I highly advise you create another user and prohibit root login. Whatever user you use add key to authorized_keys.
Add a line in
/etc/pam.d/sshd to enable Duo PAM module (note the path if got different):
1 auth required /lib64/security/pam_duo.so
Now add your application API info to /etc/duo/pam_duo.conf and restart SSHD service. On next logon you should receive enrollment link (if you have never used Duo) and then welcoming screen:
- Using username “user”.
- Authenticating with public key “user” from agent
- Further authentication required
- Using keyboard-interactive authentication.
- Duo two-factor login for user
- Enter a passcode or select one of the following options:
- Duo Push to +XX XXX XXX XXX
- SMS passcodes to +XX XXX XXX XXX
Passcode or option (1-2)
Let me know if you faced any issues installing Duo on your Linux machine. Stay safe!