module for Duo authentication
provides secondary authentication
(typically after successful password-based authentication) through the Duo
PAM module configuration options supported:
- Specify an alternate configuration file to load. Default is
- Debug mode; send log messages to stderr instead of
The INI-format configuration file must have a
” section with the following
- Duo API host (required).
- Duo integration key (required).
- Duo secret key (required).
- If specified, Duo authentication is required only for users
whose primary group or supplementary group list matches one of the
space-separated pattern-lists (see
- On service or configuration errors that prevent Duo
authentication, fail “
access) or “
secure” (deny access).
Default is “
- Send command to be approved via Duo Push authentication.
Default is “
- Use the specified HTTP proxy, same format as the HTTP_PROXY
- Automatically send a login request to the first factor
(usually push), instead of prompting the user. Default is
- Set the maxiumum number of prompts pam_duo will show before
denying access. Default is 3.
- If unable to detect the authorizing user's IP address,
fallback on the server's IP. Default is "no".
- Instead of using the unix username, send Duo the contents
of the GECOS field from /etc/passwd. Default is "no".
An example configuration file:
host = api-deadbeef.duosecurity.com
ikey = SI9F...53RI
skey = 4MjR...Q2NmRiM2Q1Y
pushinfo = yes
autopush = yes
Other authentication restrictions may be implemented using
consists of zero or more non-whitespace
characters, ‘*’ (a wildcard that matches zero or more
characters), or ‘?’ (a wildcard that matches exactly one
is a comma-separated list of
patterns. Patterns within pattern-lists may be negated by preceding them with
an exclamation mark (‘!’). For example, to specify Duo
authentication for all users (except those that are also admins), and for
groups = users,!wheel,!*admin
- Default configuration file path
was written by
When used with OpenSSH's sshd(8)
, only PAM-based
authentication can be protected with this module; pubkey authentication
bypasses PAM entirely. OpenSSH's PAM integration also does not honor an
real-time Duo status messages (such as during voice callback).