|
NAMElogin_duo —
second-factor authentication via Duo login service
SYNOPSISlogin_duo [-d ] [-c
file] [-h
host] [-f
user] [command
[args...]]
DESCRIPTIONlogin_duo provides secondary authentication via the Duo
authentication service, executing the user's login shell or command only if
successful.
The following options are available:
If After successful Duo authentication, the user's login shell is
invoked, or if an alternate command or
CONFIGURATIONThe INI-format configuration file must have a “duo ” section with the following
options:
An example configuration file: [duo] host = api-deadbeef.duosecurity.com ikey = SI9F...53RI skey = 4MjR...Q2NmRiM2Q1Y pushinfo = yes autopush = yes If installed setuid root (the default),
PATTERNSA pattern consists of zero or more non-whitespace characters, ‘*’ (a wildcard that matches zero or more characters), or ‘?’ (a wildcard that matches exactly one character).A pattern-list is a comma-separated list of patterns. Patterns within pattern-lists may be negated by preceding them with an exclamation mark (‘!’). For example, to specify Duo authentication for all users (except those that are also admins), and for guests: groups = users,!wheel,!*admin
guests EXAMPLESlogin_duo can be enabled system-wide by specifying its
full path as a ForceCommand in
sshd_config(5)
to capture any SSH remote login (including subsystems, remote commands, and
interactive login):
ForceCommand /usr/local/sbin/login_duo Similarly, a group of administrators could require two-factor
authentication for login to a shared root account by specifying
command="/usr/local/sbin/login_duo -f alice" ssh-rsa AAAAB2...19Q== alice@example.net command="/usr/local/sbin/login_duo -f bob" ssh-dss AAAAC3...51R== bob@example.net A user without root access could configure their own account to
require Duo authentication via the same
~/.ssh/authorized_keys forced command mechanism and
a user-installed (non-setuid) FILES
AUTHORSlogin_duo was written by Duo
Security ⟨support@duosecurity.com⟩
NOTESWhen used to protect remote SSH access, only interactive sessions support interactive Duo login. For scp(1), sftp(1), rsync(1), and other ssh(1) remote commands,login_duo automatically tries the
user's default out-of-band factor (smartphone push or voice callback) and
disables real-time login progress reporting to provide a clean shell
environment.
Visit the GSP FreeBSD Man Page Interface. |