Fri, 3 Jul 2020

4:23 PM - Enable Duo 2FA for SSH on MidnightBSD

Enabling two factor authentication on MidnightBSD for SSH. 

Recently, we added a security/duo port in mports. 

When setting up two factor authentication, we recommend using the login duo setup. It's much easier to get going and we noticed some segfaults with the duo pam module. 


Setup a Duo account

Install the security/duo port.  If you only want to use SSHD, you can avoid the SUID port option.  However, for testing it can be helpful

Obtain the appropriate API host, skey and ikey and add them to the /usr/local/etc/login_duo.conf file.

Fix the permissions on the login_duo.conf file so that they are 600 and owned by sshd if you are only using with SSHD. if you did choose SUID option in the mport, then own by root. 

In the /etc/ssh/sshd_config, you will need to add a line with ForceCommand /usr/local/sbin/login_duo

If you wish to protect all logins, you can leave ForceCommand line global. However, you can also choose to only protect certain users or groups. For instance, if you want to protect the wheel group for admins

Match group wheel 
        ForceCommand  /usr/local/sbin/login_duo

Duo also has instructions on setting up on FreeBSD and this works with MidnightBSD as well. 

Login Duo


Using it

When logging into ssh the first time, you'll get an activation link that you'll want to load in a browser. It will walk you through configuring your phone.  You'll probably want the duo app installed so you can do push notifications. 

After that, you'll see a menu asking if you want a push as you attempt to ssh into a box.