Duo two-factor authentication for Unix systems
C Python Perl Shell
Pull request Compare This branch is 8 commits ahead, 133 commits behind duosecurity:master.
Latest commit bc5e1ef Jun 21, 2012 @Flameeyes build: use the proper targets for install hooks
Also always create directories before using them (for parallel install
compatibility), and fix one bad name.



duo_unix - Duo two-factor authentication for Unix systems

Duo provides simple two-factor authentication as a service.

This package allows an admin (or ordinary user) to quickly add Duo
authentication to any Unix login without setting up secondary user
accounts, directory synchronization, servers, or hardware.

What's here:

	Simple C API for the Duo two-factor authentication service.

	Login utility to add secondary Duo authentication to any login
	(e.g. via sshd ForceCommand or ~/.ssh/authorized_keys command)
	to augment password, pubkey, or other primary auth method.

	Optional Pluggable Authentication Module for Linux, FreeBSD,
	NetBSD, MacOS X, Solaris, AIX, HP-UX to add Duo authentication
	system-wide (e.g. sshd, sudo, su, samba, etc.)


Build dependencies (install these first!):

	OpenSSL (http://openssl.org) development headers and libraries
	are installed by default on *BSD and MacOS X.

	Solaris, HP-UX, AIX:	3rd party packages or source build
	Redhat/Fedora/CentOS:	yum install openssl-devel
	Debian/Ubuntu: 		apt-get install libssl-dev
	SUSE/SLES:		zypper install libopenssl-devel

	Only required if building with PAM support (--with-pam below).

	System PAM development headers and libraries are installed by
	default on FreeBSD, NetBSD, MacOS X, Solaris, HP-UX, and AIX.

	RedHat/Fedora/CentOS:	yum install pam-devel
	Debian/Ubuntu:		apt-get install libpam-dev
	SUSE/SLES:		zypper install pam-devel

	When compiling for SLES 11, it is reported that you need the
	zlib package during compilation.

	SUSE/SLES:		zypper install zlib-devel

Options to ./configure:

        Specify the OpenSSL directory if not found automatically.

	Build PAM module, and optionally override the default install
	directory (determined automatically by platform) if necessary.

	Specify a different user for login_duo privilege separation -
        by default, "sshd" (or "_sshd" on MacOS X).

The default path for local configuration files will be set to /etc/duo
(which can be changed by specifying --sysconfdir=DIR).

NOTE: If you're missing ./configure you accidentally downloaded the
git source tree tarball. Get a versioned package tarball instead:


Then just run "make".


"make install" as root should do it.

login_duo will be installed setuid root by default in order to keep
the Duo integration and secret keys in your configuration files
secret. It may also be installed non-setuid manually for a user
installation with individual (vs. system-wide) configuration files.

The pam_duo module will be installed in the system PAM module location
by default (/lib/security, /usr/lib/security, /usr/lib/pam, /usr/lib
depending on platform).


If you don't have a Duo account, sign up at http://www.duosecurity.com

From your admin account, add a new Unix integration (Integrations >
New integration) and use the integration key (ikey), secret key 
(skey), and API hostname in your Duo configuration files (by default
in /etc/duo).

You do not need to create any user accounts manually - new Duo users
will be created as each user logs in and enrolls their own device.


To test your Duo configuration, run login_duo from the command line as
your target user - for the default setuid-root install:

	$ login_duo -d echo YOU ROCK

For a non-setuid install:

	$ ./login_duo -d -c login_duo.conf echo YOU ROCK

If your Duo integration and secret keys are valid, you will be able to
enroll and authenticate successfully, and congratulate yourself. :-)


The login_duo binary is marked setuid in order to read the protected
login_duo.conf configuration file. However, privileges are dropped
immediately after so the privileged attack surface is minimal.


Additional duo_unix documentation is available here:


Report any bugs, feature requests, etc. here:


Have fun!