/ duo

Configuring two-factor authentication on FreeBSD with Duo Push

This setup uses an SSH key as the first factor of authentication. Please watch Part 1 on setting up SSH keys and how to scp it to your server.

Video guide

Register for a free account at Duo.com

Install the Duo package on your FreeBSD server

pkg install -y duo

Log into the Duo site > Applications > Protect an Application > Search for Unix application > Protect this Application

This will generate the keys we need to configure Duo.

Capture-1

Edit the Duo config file using the course notes template

vi /usr/local/etc/pam_duo.conf

Example config

[duo]
; Duo integration key
ikey = Integration key goes here
; Duo secret key
skey = Secret key goes here
; Duo API host
host = API hostname goes here

Change the permissions of the Duo config file. If the permissions are not correct then the service will not function properly.

chmod 600 /usr/local/etc/pam_duo.conf

Edit the SSHD config file using the course notes template

vi /etc/ssh/sshd_config

Example config

ListenAddress 0.0.0.0
Port 22
PasswordAuthentication no
UsePAM yes
ChallengeResponseAuthentication yes
UseDNS no
PermitRootLogin yes
AuthenticationMethods publickey,keyboard-interactive

Edit PAM to configure SSHD for Duo using the course notes template

Example config

# auth
auth            sufficient      pam_opie.so             no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
auth            required        /usr/local/lib/security/pam_duo.so

# session
#session        optional        pam_ssh.so              want_agent
session         required        pam_permit.so

# password
#password       sufficient      pam_krb5.so             no_warn try_first_pass
password        required        pam_unix.so             no_warn try_first_pass

Restart the sshd service

service sshd restart

SSH into your FreeBSD server and follow the link it outputs to enroll your phone with Duo.

ssh server.example.com

enroll

SSH into your server again

ssh server.example.com

duo

Choose your preferred method and it should log you into your server.