4:23 PM - Enable Duo 2FA for SSH on MidnightBSD
Enabling two factor authentication on MidnightBSD for SSH.
Recently, we added a security/duo port in mports.
When setting up two factor authentication, we recommend using the login duo setup. It's much easier to get going and we noticed some segfaults with the duo pam module.
Steps:
Setup a Duo account
Install the security/duo port. If you only want to use SSHD, you can avoid the SUID port option. However, for testing it can be helpful
Obtain the appropriate API host, skey and ikey and add them to the /usr/local/etc/login_duo.conf file.
Fix the permissions on the login_duo.conf file so that they are 600 and owned by sshd if you are only using with SSHD. if you did choose SUID option in the mport, then own by root.
In the /etc/ssh/sshd_config, you will need to add a line with ForceCommand /usr/local/sbin/login_duo
If you wish to protect all logins, you can leave ForceCommand line global. However, you can also choose to only protect certain users or groups. For instance, if you want to protect the wheel group for admins
Match group wheel ForceCommand /usr/local/sbin/login_duo
Duo also has instructions on setting up on FreeBSD and this works with MidnightBSD as well.
Login Duo https://duo.com/docs/loginduo
PAM https://duo.com/docs/duounix
Using it
When logging into ssh the first time, you'll get an activation link that you'll want to load in a browser. It will walk you through configuring your phone. You'll probably want the duo app installed so you can do push notifications.
After that, you'll see a menu asking if you want a push as you attempt to ssh into a box.