Duo stopped working on Ubuntu 18 - file permissions issue

Question

Duo stopped working on Ubuntu 18 - file permissions issue

jherskovic opened this issue 4 years ago · 5 comments

Summary

We use Duo to authenticate SSH logins to Ubuntu 18.04LTS servers with the latest patches. We use the dead-simple
ForceCommand /opt/duo/sbin/login_duo
in sshd_config to achieve this.

A couple of weeks ago, our Ubuntu systems started erroring out with
/etc/duo/login_duo.conf must be readable only by user '<whoever's trying to log in>'

which is clearly not possible when sshd is executed by the end-user account.

Steps to reproduce

Install duo on Ubuntu 18.04LTS with ForceCommand
Watch it fail

Specs

Ubuntu 18.04.5 LTS
OS arch (ie 32 or 64): 64 bit
Using pam_duo or login_duo: login_duo

Answer 1 · 2020-10-13T19:23:59.000Z

Hello, can you verify that the permissions for login_duo.conf is owned by the sshd user and that they have read/write permissions for the file. We also would encourage you to use pam_duo instead of login_duo for protecting sshd.

Answer 2 · 2020-10-13T19:31:14.000Z

The sshd owner is root, so the file's owned by root:root, with chmod 644

My organization doesn't support pam_duo, but I will look into it.

Thanks

Answer 3 · 2020-10-13T19:36:20.000Z

Try changing the owner of login_duo.conf to sshd:root and see if that fixes your issue.

Answer 4 · 2020-10-13T19:38:44.000Z

Thanks, that did the trick.

Answer 5 · 2020-10-13T19:39:50.000Z

I'm glad it's working, I'm going to close out this issue.