oracular (8) pam_duo.8.gz

Provided by: libpam-duo_1.11.3-1.2_amd64 bug

NAME

     pam_duo — PAM module for Duo authentication

SYNOPSIS

     pam_duo.so [conf=FILENAME⟩]

DESCRIPTION

     pam_duo provides secondary authentication (typically after successful password-based
     authentication) through the Duo authentication service.

OPTIONS

     PAM module configuration options supported:

     conf      Specify an alternate configuration file to load. Default is /etc/duo/pam_duo.conf

     debug     Debug mode; send log messages to stderr instead of syslog.

CONFIGURATION

     The INI-format configuration file must have a “duo” section with the following options:

     host      Duo API host (required).

     ikey      Duo integration key (required).

     skey      Duo secret key (required).

     groups    If specified, Duo authentication is required only for users whose primary group or
               supplementary group list matches one of the space-separated pattern-lists (see
               PATTERNS below).

     failmode  On service or configuration errors that prevent Duo authentication, fail “safe”
               (allow access) or “secure” (deny access). Default is “safe”.

     pushinfo  Send command to be approved via Duo Push authentication. Default is “no”.

     http_proxy
               Use the specified HTTP proxy, same format as the HTTP_PROXY environment variable.

     autopush  Automatically send a login request to the first factor (usually push), instead of
               prompting the user. Default is "no".

     prompts   Set the maxiumum number of prompts pam_duo will show before denying access.
               Default is 3.

     fallback_local_ip
               If unable to detect the authorizing user's IP address, fallback on the server's
               IP. Default is "no".

     send_gecos
               Instead of using the unix username, send Duo the contents of the GECOS field from
               /etc/passwd.  Default is "no".

     An example configuration file:

             [duo]
             host = api-deadbeef.duosecurity.com
             ikey = SI9F...53RI
             skey = 4MjR...Q2NmRiM2Q1Y
             pushinfo = yes
             autopush = yes

     Other authentication restrictions may be implemented using pam_listfile(8), pam_access(8),
     etc.

PATTERNS

     A pattern consists of zero or more non-whitespace characters, ‘*’ (a wildcard that matches
     zero or more characters), or ‘?’ (a wildcard that matches exactly one character).

     A pattern-list is a comma-separated list of patterns. Patterns within pattern-lists may be
     negated by preceding them with an exclamation mark (‘!’).  For example, to specify Duo
     authentication for all users (except those that are also admins), and for guests:

           groups = users,!wheel,!*admin guests

FILES

     /etc/duo/pam_duo.conf
               Default configuration file path

AUTHORS

     pam_duo was written by Duo Security <support@duosecurity.com>

NOTES

     When used with OpenSSH's sshd(8), only PAM-based authentication can be protected with this
     module; pubkey authentication bypasses PAM entirely. OpenSSH's PAM integration also does not
     honor an interactive pam_conv(3) conversation, prohibiting real-time Duo status messages
     (such as during voice callback).