2FA

I'm working on SaaS things lately and I decided to check out the SaaS based 2FA providers. I did a Google search for "SaaS 2FA" and the first response I got was duo security, which happens to be based in my home state of Michigan!

Taking a look a their website, they have quite a few integrations. One of them is PAM support, so I thought I'd check that out. I fired up a CentOS VM and followed their docs and within about 5 minutes I had two-factor auth enabled for my linux VM.

First, I needed to grab some dependencies since I was running CentOS minimal, mainly a C compiler and both the pam-devel and openssl-devl libraries.

$ yum group install "Development Tools"
$ yum install pam-devel
$ yum install openssl-devel

One that was completed, I grabbed the source and built the duo unix package with pam support.

$ wget https://dl.duosecurity.com/duo_unix-latest.tar.gz
$ tar zxf duo_unix-latest.tar.gz
$ cd duo_unix-1.9.18
$ ./configure --with-pam --prefix=/usr && make && sudo make install

Next, I modified the /etc/pam.d/sshd config file:

auth       required pam_env.so
auth       sufficient pam_duo.so
auth       required pam_deny.so

and changed the value of ChallengeResponseAuthentication in my /etc/ssh/sshd_config file to yes.

ChallengeResponseAuthentication yes

Finally, I restarted ssdh

$ systemctl restart bash

Once I tried to login via SSH, I was promted to enroll at the URL given. I loaded that up in the browser and entered my phone number.

I opened a new SSH session and got the 2FA promptes.

I selected the push option and got a notification on my phone almost immediately.

Pretty cool.