Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Fetching contributors…

Cannot retrieve contributors at this time

144 lines (96 sloc) 4.151 kb
Overview
--------
duo_unix - Duo two-factor authentication for Unix systems
Duo provides simple two-factor authentication as a service.
This package allows an admin (or ordinary user) to quickly add Duo
authentication to any Unix login without setting up secondary user
accounts, directory synchronization, servers, or hardware.
What's here:
lib
Simple C API for the Duo two-factor authentication service.
login_duo
Login utility to add secondary Duo authentication to any login
(e.g. via sshd ForceCommand or ~/.ssh/authorized_keys command)
to augment password, pubkey, or other primary auth method.
pam_duo
Optional Pluggable Authentication Module for Linux, FreeBSD,
NetBSD, MacOS X, Solaris, AIX, HP-UX to add Duo authentication
system-wide (e.g. sshd, sudo, su, samba, etc.)
Build
-----
Build dependencies (install these first!):
OpenSSL
OpenSSL (http://openssl.org) development headers and libraries
are installed by default on *BSD and MacOS X.
Solaris, HP-UX, AIX: 3rd party packages or source build
Redhat/Fedora/CentOS: yum install openssl-devel
Debian/Ubuntu: apt-get install libssl-dev
SUSE/SLES: zypper install libopenssl-devel
libpam
Only required if building with PAM support (--with-pam below).
System PAM development headers and libraries are installed by
default on FreeBSD, NetBSD, MacOS X, Solaris, HP-UX, and AIX.
RedHat/Fedora/CentOS: yum install pam-devel
Debian/Ubuntu: apt-get install libpam-dev
SUSE/SLES: zypper install pam-devel
zlib
When compiling for SLES 11, it is reported that you need the
zlib package during compilation.
SUSE/SLES: zypper install zlib-devel
Options to ./configure:
--with-openssl=DIR
Specify the OpenSSL directory if not found automatically.
--with-pam[=DIR]
Build PAM module, and optionally override the default install
directory (determined automatically by platform) if necessary.
--with-privsep-user=USER
Specify a different user for login_duo privilege separation -
by default, "sshd" (or "_sshd" on MacOS X).
The default path for local configuration files will be set to /etc/duo
(which can be changed by specifying --sysconfdir=DIR).
NOTE: If you're missing ./configure you accidentally downloaded the
git source tree tarball. Get a versioned package tarball instead:
https://github.com/duosecurity/duo_unix/downloads
Then just run "make".
Install
-------
"make install" as root should do it.
login_duo will be installed setuid root by default in order to keep
the Duo integration and secret keys in your configuration files
secret. It may also be installed non-setuid manually for a user
installation with individual (vs. system-wide) configuration files.
The pam_duo module will be installed in the system PAM module location
by default (/lib/security, /usr/lib/security, /usr/lib/pam, /usr/lib
depending on platform).
Setup
-----
If you don't have a Duo account, sign up at http://www.duosecurity.com
From your admin account, add a new Unix integration (Integrations >
New integration) and use the integration key (ikey), secret key
(skey), and API hostname in your Duo configuration files (by default
in /etc/duo).
You do not need to create any user accounts manually - new Duo users
will be created as each user logs in and enrolls their own device.
Test
----
To test your Duo configuration, run login_duo from the command line as
your target user - for the default setuid-root install:
$ login_duo -d echo YOU ROCK
For a non-setuid install:
$ ./login_duo -d -c login_duo.conf echo YOU ROCK
If your Duo integration and secret keys are valid, you will be able to
enroll and authenticate successfully, and congratulate yourself. :-)
Setuid
------
The login_duo binary is marked setuid in order to read the protected
login_duo.conf configuration file. However, privileges are dropped
immediately after so the privileged attack surface is minimal.
Support
-------
Additional duo_unix documentation is available here:
http://www.duosecurity.com/docs/duounix
Report any bugs, feature requests, etc. here:
https://github.com/duosecurity/duo_unix/issues
Have fun!
---
http://www.duosecurity.com
Jump to Line
Something went wrong with that request. Please try again.