2nd Factor Authentication for Node Access with Duo

Here are steps to configure Second-Factor Authentication (2FA) with Duo via PAM available with the Teleport 4.4.0 release. This example is with a Ubuntu Server 20.04 LTS aws ec2 instance. Other Linux flavors should follow the Duo instructions for configuring PAM authentication. You should have a running auth/proxy prior to attempting these steps.

Step 1. Follow the first steps at https://duo.com/docs/duounix to get a Duo account and create a Unix application. Keep the integration key, secret key and api hostname handy.

Step 2. Access the ubuntu ec2 instance with the ubuntu or other sudo/root access

Step 3. Install the required tools to install Duo

$ sudo apt-get update && sudo apt-get install libssl-dev gcc libpam0g-dev make -y

Step 4. Download Duo and install

$ wget https://dl.duosecurity.com/duo_unix-latest.tar.gz
$ tar -xf  duo_unix-latest.tar.gz
$ cd duo_unix-1.11.4/
$ ./configure --with-pam --prefix=/usr && make && sudo make install

Step 5. Update the /etc/duo/pam_duo.conf with the Duo integration key, secret key and api hostname for your account.

Example:

[duo]
; Duo integration key
ikey = XXXXXXXXXXXXXX
; Duo secret key
skey = XXXXXXXXXXXXXXXX
; Duo API host
host = api-74444444.duosecurity.com
; `failmode = safe` In the event of errors with this configuration file or connection to the Duo service
; this mode will allow login without 2FA.
; `failmode = secure` This mode will deny access in the above cases. Misconfigurations with this setting
; enabled may result in you being locked out of your system.
failmode = safe
; Send command for Duo Push authentication
;pushinfo = yes

Step 6. Configure the PAM configuration to use with Teleport

  1. Copy the /etc/pam.d/sshd config to /etc/pam.d/teleport
  2. Edit /etc/pam.d/teleport

Comment out the line @include common-auth by prefixing it with # and replace with the lines:

auth [success=1 default=ignore] /lib64/security/pam_duo.so
auth requisite pam_deny.so
auth required pam_permit.so

Note that in the instructions it says pam_duo.so but it needs the path to find the library.

Step 7. Download and install the Teleport 4.4.0+ community or enterprise version

Use the quick start instructions for community or enterprise in the Teleport documentation.

Step 8. Configure the Teleport SSH Service for the node

Note the PAM settings to enable the PAM authentication and use the teleport PAM configuration.

Example:

    teleport:
      auth_token: TOKEN
      auth_servers: [ "teleport.example.com:3080" ]
      nodename: pamtest
      log:
        output: stderr
        severity: INFO
      auth_service:
        enabled: false
        # SSH is also enabled on this node:
      ssh_service:
        enabled: "yes"
        labels:
          example: duo
        commands:
        - command:
          - uptime
          - -p
          name: uptime
          period: 1m
        pam:
          enabled: true
          service_name: teleport
          use_pam_auth: yes
       proxy_service:
          enabled: false

Step 9. Start Teleport and connect to node

Connect to the node

Approve via the app or SMS:

** Now connected **

2 Likes