provides secondary authentication via the Duo authentication service,
executing the user's login shell or command only if successful.
The following options are available:
Specify an alternate configuration file to load.
Specify the IP address from which the user is authenticating.
Specify an alternate Duo user to authenticate as.
is installed setuid root (the default), these options are
only available to the super-user.
After successful Duo authentication, the user's login shell is
invoked, or if an alternate
environment variable is specified, it will be executed via the user's
shell with a -c option.
The INI-format configuration file must have a
section with the following options:
Duo integration key (required).
Duo secret key (required).
Skip Duo authentication for users not in a specific Unix group.
Skip Duo authentication for users below a specified user ID.
On service or configuration errors that prevent Duo authentication, fail
(allow access) or
(deny access). Default is
When used to protect remote SSH access, only interactive sessions
support interactive Duo login. For
automatically tries the user's default out-of-band factor
(smartphone push or voice callback) and disables real-time login
progress reporting to provide a clean shell environment.