Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
LOGIN_DUO(8)		FreeBSD	System Manager's Manual		  LOGIN_DUO(8)

     login_duo -- second-factor	authentication via Duo login service

     login_duo [-d] [-c	file] [-h host]	[-f user] [command [args...]]

     login_duo provides	secondary authentication via the Duo authentication
     service, executing	the user's login shell or command only if successful.

     The following options are available:

     -c	       Specify an alternate configuration file to load.	Default	is

     -d	       Debug mode; send	logs to	stderr instead of syslog.

     -h	       Specify the remote IP address for this login (normally taken
	       from the	SSH_CONNECTION environment variable, if	set).

     -f	       Specify an alternate Duo	user to	authenticate as.

     If	login_duo is installed setuid root (the	default), these	options	are
     only available to the super-user.

     After successful Duo authentication, the user's login shell is invoked,
     or	if an alternate	command	or SSH_ORIGINAL_COMMAND	environment variable
     is	specified, it will be executed via the user's shell with a -c option.

     The INI-format configuration file must have a "duo" section with the fol-
     lowing options:

     host      Duo API host (required).

     ikey      Duo integration key (required).

     skey      Duo secret key (required).

     groups    If specified, Duo authentication	is required only for users
	       whose primary group or supplementary group list matches one of
	       the space-separated pattern-lists (see PATTERNS below).

     failmode  On service or configuration errors that prevent Duo authentica-
	       tion, fail "safe" (allow	access)	or "secure" (deny access). De-
	       fault is	"safe".

     pushinfo  Send command to be approved via Duo Push	authentication.	De-
	       fault is	"no".

	       Use the specified HTTP proxy, same format as the	HTTP_PROXY en-
	       vironment variable.

     autopush  Upon successful first-factor authentication, automatically send
	       a login request to the primary second-factor (usually Duo
	       Push). Can be "yes" or "no".  Default is	"no".

     motd      Print the contents of /usr/local/etc/motd to screen after a
	       successful login. Either	"yes" or "no."	Default	is "no".

     prompts   Number of login attempts	a user gets. Default is	3. If using
	       autopush, it is recommended to set prompts to 1.

	       Look for	factor selection or passcode in	the DUO_PASSCODE envi-
	       ronment variable, before	prompting the user. Can	override auto-
	       push. Default is	"no".

	       If unable to determine the authentication users's IP address,
	       fallback	on the IP address of the server. Default is "no".

	       Set to the number of seconds to wait for	HTTPS responses	from
	       Duo Security. If	Duo Security takes longer than the configured
	       number of seconds to respond to the preauth API call, the con-
	       figured failmode	is triggered. Other network operations such as
	       DNS resolution, TCP connection establishment, and the SSL hand-
	       shake have their	own independent	timeout	and retry logic. De-
	       fault is	0, which disables the HTTPS timeout.

     An	example	configuration file:

	     host =
	     ikey = SI9F...53RI
	     skey = 4MjR...Q2NmRiM2Q1Y
	     pushinfo =	yes
	     autopush =	yes

     If	installed setuid root (the default), login_duo performs	Duo authenti-
     cation as a dedicated privilege separation	user, requiring	that the con-
     figuration	file be	owned and readable only	by this	user.

     A pattern consists	of zero	or more	non-whitespace characters, `*' (a
     wildcard that matches zero	or more	characters), or	`?' (a wildcard	that
     matches exactly one character).

     A pattern-list is a comma-separated list of patterns. Patterns within
     pattern-lists may be negated by preceding them with an exclamation	mark
     (`!').  For example, to specify Duo authentication	for all	users (except
     those that	are also admins), and for guests:

	   groups = users,!wheel,!*admin guests

     login_duo can be enabled system-wide by specifying	its full path as a
     ForceCommand in sshd_config(5) to capture any SSH remote login (including
     subsystems, remote	commands, and interactive login):

	     ForceCommand /usr/local/sbin/login_duo

     Similarly,	a group	of administrators could	require	two-factor authentica-
     tion for login to a shared	root account by	specifying login_duo as	the
     forced command for	each public key	in ~root/.ssh/authorized_keys:

	     command="/usr/local/sbin/login_duo	-f alice"
	     ssh-rsa AAAAB2...19Q==
	     command="/usr/local/sbin/login_duo	-f bob"
	     ssh-dss AAAAC3...51R==

     A user without root access	could configure	their own account to require
     Duo authentication	via the	same ~/.ssh/authorized_keys forced command
     mechanism and a user-installed (non-setuid) login_duo.

	       Default configuration file path

     login_duo was written by Duo Security <>

     When used to protect remote SSH access, only interactive sessions support
     interactive Duo login. For	scp(1),	sftp(1), rsync(1), and other ssh(1)
     remote commands, login_duo	automatically tries the	user's default out-of-
     band factor (smartphone push or voice callback) and disables real-time
     login progress reporting to provide a clean shell environment.

FreeBSD	13.0		       September 3, 2010		  FreeBSD 13.0


Want to link to this manual page? Use this URL:

home | help