Skip to content


Repository files navigation

Duo Unix

Build Status Issues Forks Stars License

Duo two-factor authentication for Unix systems.

Duo Unix includes a PAM module or alternatively a stand alone executable that can be used to protect programs such as SSH or Sudo.

This repository is meant to be used for development or cutting edge versions of Duo Unix. For production deployments Duo recommends using our stable release tarballs or packages. Instructions can be found on our documentation page Duo Unix Docs

Getting Started

These instructions are geared towards getting you up and running on your local machine for development and testing purposes. See the deployment section for notes on how to deploy Duo Unix in production.


You will likely want to have some kind of virtual machine when developing Duo Unix. If Duo Unix is configured incorrectly it has the potential to lock you out of a system. It's better to have that happen on a virtual machine instead of your computer.

We recommend something like Vagrant or Docker


Install the necessary third party libraries.

  • Debian based Systems
$ sudo apt-get install autoconf libtool libpam-dev libssl-dev make
  • RHEL based systems
$ sudo yum install autoconf libtool pam-devel openssl-devel
  • RHEL 7 and CentOS 7 systems with SELinux enabled
$ sudo yum install selinux-policy-devel bzip2

Clone the Duo Unix project down and enter the directory

$ git clone <paste the url here>
$ cd duo_unix/

Run bootstrap to generate the configure script.

$ ./bootstrap

Run configure to generate your makefiles.

$ ./configure --with-pam --prefix=/usr

Build the project locally

$ make

Install the project. The install location will be the same as the prefix you specified in the configure step.

$ sudo make install

After installation add your integration keys to the config files

  • Visit the Duo Admin Panel and create a "Unix" integration if you don't have one already
  • Copy your ikey, skey, and api_host into the proper fields of the config files
$ vim /etc/duo/login_duo.conf
$ vim /etc/duo/pam_duo.conf

Finally, test an auth!

$ sudo login_duo -f myusername 'echo "Hello World"'

You should only see "Hello World" if the authentication succeeds.

Running the tests

The additional prereq for running the tests is python

#  RHEL Based
$ sudo yum install python
#  Debian Based
$ sudo apt-get install python

To run all the automated tests simply run

$ sudo make check

To run an individual test file

$ cd tests/
$ python

To run an individual test suite

$ cd tests/
$ python TestLoginDuoConfig

To run an individual test case

$ cd tests/
$ python TestLoginDuoConfig.test_empty_args

Python Tests

For Duo Unix we use the python unittest library to do our testing. Each suite typically starts by creating a mock duo service. After we create that service we perform a series of tests to verify that this software is working as expected. Although we use the unittest library these are not truely "unit tests" as manage subprocesses and generally employ blackbox testing. The true "unit tests" for Duo Unix are the unity tests.

Testing with coverage

To generate coverate reports you'll need to compile Duo Unix with the --with-coverage options. Please note that in order to view HTML version of the coverage reports you'll also need to install the python package gcovr.

To see the testing coverage of the Duo PAM for example you would run the following at the repository root.

$ ./configure --with-coverage --with-pam
$ ./
$ $BROWSER coverage/pam_duo.html

Note that configuring Duo Unix --with-coverage disables any compiler optimizations to allow the profiler to better match executed instructions with lines of code.

Other testing tips

Each test creates the mockduo server for you, but if you need to run it manually to test things you can. Below is an example of running a mockduo server in one session and authenticating against it in another.

$ cd tests/
$ python certs/mockduo.pem
Now in a separate terminal window
$ ../login_duo/login_duo -d -c confs/mockduo.conf -f my_username echo "Success"

This mock server can be a bit brittle so you may have to restart it if you start seeing very weird behavior.

Static analysis

Install cppcheck

$ cppcheck --quiet --force -i tests --suppressions-list=.false_positive.txt --error-exitcode=1 .


For production deployments Duo recommends using our stable release tarballs or packages. Instructions can be found on our documentation page Duo Unix Docs

TLS 1.2 and 1.3 Support

Duo Unix uses the system's OpenSSL library for TLS operations. It will use the highest TLS version available when making API calls to Duo. TLS 1.2 support requires OpenSSL 1.0.1 or higher; TLS 1.3 support requires OpenSSL 1.1.1 or higher.


Please read and for details on our code of conduct and the process for submitting pull requests to us.


We use SemVer for versioning.


This project is licensed under the GPLv2 License - see the LICENSE file for details


Report any bugs, feature requests, etc. to