Cloud security

Some Background

I keep a private development server (on DigitalOcean) running FreeBSD. None of the users have passwords, I only use certificate based authentication to get in.

Ever since I first heard of Duo (https://www.duosecurity.com/product) I’ve wanted to integrate it into some of my projects. I figured hey, why not start with my dev server!

Getting Started

Honestly, Duo has done an amazing job at making the process extremely easy.

First, create your free account at https://signup.duosecurity.com/.

In the process, you will want to download their app to your phone (if you want to use push notifications, otherwise you can use SMS).

After you have followed the wizard, you are ready to integrate it into your system, your application, or whatever else you want.

Integrating Duo with FreeBSD

After signing into the Duo administrative dashboard, simply create a new Integration and choose UNIX Integration. Then, at the top of the page click the Duo Unix documentation and follow the guide. Consistent with everything Duo has done so far, it is both thorough and clear.

I chose only to integrate Duo with SSH, not with PAM. So for me I simply had to:

  1. Download duo_unix (https://dl.duosecurity.com/duo_unix-latest.tar.gz)
  2. Compile and install it
  3. Configure /etc/duo/login_duo.conf with the keys generated on your integration page
  4. Execute /usr/sbin/login_duo to test the configuration
  5. Add this to my sshd_config:
    ForceCommand /usr/sbin/login_duo

    That’s it! Now I login to my server with my SSH key, approve the login on my phone, and I’m good to go!

I’ve chosen to configure login_duo.conf to automatically choose push notifications (as opposed to SMS or phone call), and also configured it to only be enabled from the wheel group. For reference, here is my configuration:

[duo]
; Duo integration key
ikey = ***
; Duo secret key
skey = ***
; Duo API host
host = ***
; Send command for Duo Push authentication
pushinfo = yes
group = wheel
autopush = yes
prompts = 1

What’s Next?

Next, I might choose to integrate Duo with PAM (documented in the same integration guide), add it to WordPress, add it to my own applications, who knows?! Either way, I’m certainly impressed with what Duo has come up with.