pam_duo - Man Page
PAM module for Duo authentication
Synopsis
pam_duo.so [conf=⟨FILENAME⟩]
Description
pam_duo provides secondary authentication (typically after successful password-based authentication) through the Duo authentication service.
Options
PAM module configuration options supported:
- conf
Specify an alternate configuration file to load. Default is
/etc/duo/pam_duo.conf- debug
Debug mode; send log messages to stderr instead of syslog.
Configuration
The INI-format configuration file must have a “duo” section with the following options:
- host
Duo API host (required).
- ikey
Duo integration key (required).
- skey
Duo secret key (required).
- groups
If specified, Duo authentication is required only for users whose primary group or supplementary group list matches one of the space-separated pattern-lists (see Patterns below).
- failmode
On service or configuration errors that prevent Duo authentication, fail “
safe” (allow access) or “secure” (deny access). Default is “safe”.- pushinfo
Send command to be approved via Duo Push authentication. Default is “
no”.- http_proxy
Use the specified HTTP proxy, same format as the HTTP_PROXY environment variable.
- autopush
Automatically send a login request to the first factor (usually push), instead of prompting the user. Default is "no".
- prompts
Set the maxiumum number of prompts pam_duo will show before denying access. Default is 3.
- fallback_local_ip
If unable to detect the authorizing user's IP address, fallback on the server's IP. Default is "no".
- send_gecos
Instead of using the unix username, send Duo the contents of the GECOS field from /etc/passwd. Default is "no".
An example configuration file:
[duo] host = api-deadbeef.duosecurity.com ikey = SI9F...53RI skey = 4MjR...Q2NmRiM2Q1Y pushinfo = yes autopush = yes
Other authentication restrictions may be implemented using pam_listfile(8), pam_access(8), etc.
Patterns
A pattern consists of zero or more non-whitespace characters, ‘*’ (a wildcard that matches zero or more characters), or ‘?’ (a wildcard that matches exactly one character).
A pattern-list is a comma-separated list of patterns. Patterns within pattern-lists may be negated by preceding them with an exclamation mark (‘!’). For example, to specify Duo authentication for all users (except those that are also admins), and for guests:
groups = users,!wheel,!*admin guests
Files
- /etc/duo/pam_duo.conf
Default configuration file path
Authors
pam_duo was written by Duo Security ⟨support@duosecurity.com⟩
Notes
When used with OpenSSH's sshd(8), only PAM-based authentication can be protected with this module; pubkey authentication bypasses PAM entirely. OpenSSH's PAM integration also does not honor an interactive pam_conv(3) conversation, prohibiting real-time Duo status messages (such as during voice callback).