PAM_DUO

Section: Maintenance Commands (8) Local index Up

BSD mandoc

NAME

pam_duo - PAM module for Duo authentication

SYNOPSIS

pam_duo.so [conf= Aq FILENAME ]

DESCRIPTION

provides secondary authentication (typically after successful password-based authentication) through the Duo authentication service.

OPTIONS

Only one PAM module configuration option is supported:

conf: Specify an alternate configuration file to load.

CONFIGURATION

The INI-format configuration file must have a ``duo '' section with the following options:

ikey: Duo integration key (required).
skey: Duo secret key (required).
group: Skip Duo authentication for users not in a specific Unix group.
minuid: Skip Duo authentication for users below a specified user ID.
failmode: On service or configuration errors that prevent Duo authentication, fail ``safe '' (allow access) or ``secure '' (deny access). Default is ``safe ''
host: Override Duo API host for debugging.

An example configuration file:

[duo]
ikey=SI9F...53RI
skey=4MjR...Q2NmRiM2Q1Y
minuid=500

Other authentication restrictions may be implemented using pam_listfile8, pam_access8, etc.

FILES

/etc/duo/pam_duo.conf: Default configuration file path

AUTHORS

was written by An Duo Security Aq duo_unix@duosecurity.com

NOTES

When used with OpenSSH's sshd(8), only PAM-based authentication can be protected with this module; pubkey authentication bypasses PAM entirely. OpenSSH's PAM integration also does not honor an interactive pam_conv3 conversation, prohibiting real-time Duo status messages (such as during voice callback).

This document was created by man2html, using the manual pages.
Time: 08:00:59 GMT, June 15, 2011