Autopush with password pushes prompt twice

Question

Autopush with password pushes prompt twice

tilghman opened this issue 6 months ago · 5 comments

Description

When pam_duo.conf specifies autopush, and the sshd AuthenticationMethods include a combination of "password,keyboard-interactive", Duo pushes the request twice before authentication can succeed. This does NOT occur if a publickey is offered and authenticates. Also, turning off autopush similarly allows a single push to authenticate the user.

We are currently running RHEL 7 and RHEL 9, with the behavior observable on both. RHEL 7 is likely less of a concern, as it reaches EOL in under 60 days.

Expected Behavior

When autopush is turned on in combination with a password, Duo should authenticate the user after a single push.

Actual Behavior

Two pushes are sent to the user device, after which authentication succeeds.

Steps to Reproduce

Configure sshd_config with AuthenticationMethods set to "publickey,keyboard-interactive password,keyboard-interactive" (order of these options does not change the result).
Configure autopush=yes in /etc/duo/pam_duo.conf
ssh in as a user without a publickey set
Observe double push
Configure autopush=no in /etc/duo/pam_duo.conf
ssh in as a user without a publickey set
Observe a single push is sufficient for authentication.
Set an SSH key for the user.
Set autopush=yes in /etc/duo/pam_duo.conf
ssh in as a user
Observe that a single push is sufficient with a publickey providing the other half of authentication.

Workarounds

Turning off autopush is sufficient to work here. However, we would prefer to have autopush turned on.

Answer 1 · 2024-05-08T16:33:56.000Z

@tilghman I have a hunch that the issue is duo to your pam stack being run twice when not using the publickey. In that case, the "password,keyboard-interactive" clause of the sshd config is being used, and each of those options will run the PAM stack. Without more details about your pam config, I can't say for sure if that's the cause, or why exactly the autopush config changes the behavior.

Since keyboard-interactive can do everything password can do plus more, it's fairly unusual to need both things for a ssh login. Are you able to accomplish all the authentication steps under a single keyboard-interactive requirement?

Answer 2 · 2024-05-08T18:08:05.000Z

Our pam config is (almost) identical to the recommendation on the duo_unix page. Here it is:
auth required pam_sepermit.so
auth required pam_env.so
#auth substack password-auth
auth sufficient pam_duo.so
auth sufficient pam_unix.so
auth required pam_deny.so
auth include postlogin

If we comment out pam_unix.so, then password+Duo authentication fails before the Duo push is attempted.

No, we cannot use just keyboard-interactive. That would allow Duo-only to be sufficient for authentication, and we are explicitly required to use two-factor (password plus Duo or publickey plus Duo) for all administrator-privileged logins.

Answer 3 · 2024-05-09T16:35:09.000Z

@tilghman Ah, I see. We have found that if your authentication requirement for ssh is
(either pubkey OR password) AND Duo
that is virtually impossible to accomplish with pam_duo, because you need a single pam stack that does two different things in different circumstances.

Our recommendation for this use case is to implement login_duo as a ForceCommand, see https://duo.com/docs/loginduo#enable-login_duo

Answer 4 · 2024-05-09T18:29:04.000Z

I'm reading through the caveats on ForceCommand, and it scares me a bit. The point of having two-factor is to theoretically make logins more secure, not less. And the line right in the documentation is that the mitigation is to use pam_duo, not login_duo.

Also, I'm rather confused at why, when we turn autopush OFF, the problematic behavior disappears.

It sounds like autopush is buggy, and this should be either noted in the documentation or fixed.

Answer 5 · 2024-05-10T13:47:17.000Z

@tilghman I agree that login_duo is less desirable overall, but due to the behavior of sshd and PAM, that is the only way to allow either pubkey or password as a first factor, without trying to write a very complicated pam module that can persist state across pam invocations and/or detect the ssh context.

I suspect the difference in the autopush behavior comes down to your failmode configuration. With autopush disabled, during password authentication, pam_duo is unable to display the prompt (since password is non-interactive), and thus failmode is triggered. If you are failing "safe" aka "open", pam_duo will succeed.

With autopush enabled, pam_duo does not need to display the prompt and so is able to do 2FA.

Then, in either case, the keyboard-interactive authentication runs the PAM stack. pam_duo is able to display the prompt (autopush disabled) or send the push (autopush enabled) and auth resolves.