I keep a private development server (on DigitalOcean) running FreeBSD. None of the users have passwords, I only use certificate based authentication to get in.
Ever since I first heard of Duo (https://www.duosecurity.com/product) I’ve wanted to integrate it into some of my projects. I figured hey, why not start with my dev server!
Honestly, Duo has done an amazing job at making the process extremely easy.
First, create your free account at https://signup.duosecurity.com/.
In the process, you will want to download their app to your phone (if you want to use push notifications, otherwise you can use SMS).
After you have followed the wizard, you are ready to integrate it into your system, your application, or whatever else you want.
After signing into the Duo administrative dashboard, simply create a new Integration and choose UNIX Integration. Then, at the top of the page click the Duo Unix documentation and follow the guide. Consistent with everything Duo has done so far, it is both thorough and clear.
I chose only to integrate Duo with SSH, not with PAM. So for me I simply had to:
- Download duo_unix (https://dl.duosecurity.com/duo_unix-latest.tar.gz)
- Compile and install it
- Configure /etc/duo/login_duo.conf with the keys generated on your integration page
- Execute /usr/sbin/login_duo to test the configuration
- Add this to my sshd_config:
That’s it! Now I login to my server with my SSH key, approve the login on my phone, and I’m good to go!
I’ve chosen to configure login_duo.conf to automatically choose push notifications (as opposed to SMS or phone call), and also configured it to only be enabled from the wheel group. For reference, here is my configuration:
[duo] ; Duo integration key ikey = *** ; Duo secret key skey = *** ; Duo API host host = *** ; Send command for Duo Push authentication pushinfo = yes group = wheel autopush = yes prompts = 1
Next, I might choose to integrate Duo with PAM (documented in the same integration guide), add it to WordPress, add it to my own applications, who knows?! Either way, I’m certainly impressed with what Duo has come up with.