duosecurity/duo_unix

Autopush should be configurable by device, not globally

dirkpetersen opened this issue · 2 comments

dirkpetersen commented

Summary

Because autopush is a global setting, it will break passcode auth (keyfobs) when enabled. This leads to autopush being disabled at many sites. However, if autopush is disabled, users will not be able to use GUI based scp/sftp clients such as Cyberduck

Steps to reproduce

  1. activate autopush=yes on duo unix ssh host
  2. Set "Ask me to choose an authentication method" for your cell phone at duo.xxxxx.com/ManageDuo/
  3. autopush happend anyway for the device configured in 2.

Specs

  • OS version (ie CENTOS 7 or Ubuntu 14): CentoOS7
  • OS arch (ie 32 or 64): x86-64
  • Using pam_duo or login_duo: login_duo

For DuoUnix autopush is a global setting
https://help.duo.com/s/article/3595?language=en_US

If autopush is disabled, This message will not be displayed to users when trying to connect via Cyberduck or other GUI clients. Some clients display the message but there is no way to hit "1" to trigger the autopush

image

A workaround for this problem is to deploy 2 ssh bastion hosts and enable autopush on one of them and disable it on the other one. However many organizations do not allow 2 bastion hosts. Therefore this feature should be implemented in duo and users should be able to disable autopush for each device by setting "Ask me to choose an authentication method" at duo.xxxxx.com/ManageDuo/ while autopush=yes is active on duounix.

AaronAtDuo commented

@dirkpetersen Sorry for the delay, I intended to respond a few months ago and it slipped my mind.

The tricky thing about your proposal is that not all users have access to the "duo.xxxxx.com/ManageDuo/" settings. Many organizations do not make self-service available to their users; or might not have any prompt-based integrations in use.

Do you have any more information on why, with certain programs/GUIs, you cannot send any input to the text prompt? That sounds like the root issue.

dirkpetersen commented

Thanks Aaron,

actually, the 3 organizations I work for all offer that self-service to their end users and it is one of the biggest selling points of Duo to end users. By default, autopush is off so it would not do any harm if duounix supported it ? If self-service was not available, users would likely not even know that autopush existed.

As to why GUI's are unable to process text input from a terminal: You, I and others are working in a terminal all day long and we would find it desirable, however users (and developers) who do not like to use the terminal may react befuddled: "Why should a GUI also function as a terminal, was it not invented so that users who do not have the skills or time to do terminal could also be participating in information technology? Why do I need a horse to pull a car, it should drive without that help."

Another issue is that I could try to convince the developers of the main 5 GUI clients to process text input but wouldn't it be more efficient if this could be addressed within DUO?