Comments (3)
The behavior of the new user access policy that you describe is documented here: https://duo.com/docs/policy#new-user-policy.
At the default setting of "Require enrollment", our service would have returned an enrollment message for the unenrolled user, preventing auth completion. It's a good idea to read through the outcomes of different new user policy settings before changing from default, especially if selecting "Allow access without 2FA".
non-enrolled accounts ought to be able to return some kind of DUNNO status
But it's not really "Dunno", it's "The policy is set to allow access without 2FA therefore access was allowed without 2FA".
Am I misunderstanding that the policy was intentionally set to allow access without 2FA?
from duo_unix.
Thanks for the prompt reply Kristina!
The behavior of the new user access policy that you describe is documented here: https://duo.com/docs/policy#new-user-policy.
Perhaps "Critical Vulnerability" was a bit harsh, but like I say, I was pretty shocked how easy it was for me to end up in a situation where ssh root@server-01
"Just Worked".
I don't know if you have control over the docs and/or webapp panels, but maybe a simple, amber-colored alert that said something like, "Note: Setting this means all attempts to log into unenrolled user accounts will succeed, possibly bypassing additional security restrictions. See the New User Policy documentation for more details." would at least suffice to raise a flag for unsuspecting sysadmins to alert them of the potential security risk. «shrug»
At the default setting of "Require enrollment", our service would have returned an enrollment message for the unenrolled user, preventing auth completion. It's a good idea to read through the outcomes of different new user policy settings before changing from default, especially if selecting "Allow access without 2FA".
So yeah, I understand what's going on; it just feels like a bouncer at a club: if you're on his list, you need an ID, but if you claim to be the President of the USA, and the President of the USA isn't on his list, he'll happily tell everybody, "Yup, he's President of the USA!"
Am I misunderstanding that the policy was intentionally set to allow access without 2FA?
Basically, our goal is to employ 2FA for administrators, but transparently fall back to password-based authentication for everybody else... When I tried either Require Enrollment
(which we don't want to have to put them through) or Deny Access
, it wouldn't allow me to enter a password at all...
ChallengeResponseAuthentiation yes
printed:
Please enroll at https://api-XXX.duosecurity.com/portal?code=CODE&akey=AKEY
# Require Enrollment
Access is not allowed because you are not enrolled in Duo. Please contact your organization's IT help desk.
# Deny Access
But then every subsequent password attempt just returned Permission denied, please try again.
ChallengeResponseAuthentication no
basically did the same, but without the error messages.
Accounts like root
seem especially pernicious, because there are a small handful of people who, in the middle of the night, might actually need to log in that way, depending on who's on duty...
Is the "Best Practice" to enroll root
as a "User" and add each person's phone? That could work, but it seems like it would run afoul of autopush
— unless there's a way to enable autopush on an account-by-account (and/or user-by-user) basis... «hmmm»
[UPDATE: I did find https://duo.com/docs/duounix-faq#can-i-use-login_duo-to-protect-a-shared-root-account? which explains how to use SSH keys to select which Duo user to authenticate as. Check!]
Another Alternative
I've discovered I can get 97% of what I want by setting:
- New User Policy:
Deny Access
-
ChallengeResponseAuthentication yes
- And adding
auth sufficient pam_unix.so nullok try_first_pass
after thepam_duo
entry in/etc/pam.d/sshd
My 3% "Nice-To-Haves" would be:
- The ability to silence the
Access is not allowed because you are not enrolled...
message — perhaps with aquiet
argument at the end of thepam_duo.so
line? (I ought to be able to patch/PR that pretty easily...) - Personally, I'd rather have SSH's more verbose
user@server-01's password:
prompt over pam_unix.so's more spartanPassword:
but "Meh." - And of course, we ALL wish it could display the
Autopushing login request to phone...
message immediately, but I understand that's likely out of your-all's hands. (#73)
Thanks again! :-D
from duo_unix.
Thanks for your detailed response. I do have control over some of the things you mention (warnings), and will pass on the other feedback.
Basically, our goal is to employ 2FA for administrators, but transparently fall back to password-based authentication for everybody else...
Another idea is to use the groups config option to include admins/exclude users.
I am going to close this issue though, as it isn't a vulnerability or problem with the application per se. When we see someone say "Critical Vulnerability" we definitely take the report seriously.
Thanks for using Duo!
from duo_unix.
Related Issues (20)
- Are there any tips as to how to get NetDrive or SSHFS to work with pam_duo? HOT 2
- Autopush should be configurable by device, not globally HOT 2
- login_duo: no selection output and automatically pushes to first phone in list with eternal terminal HOT 2
- duo_unix-1.12.1-4.el8 and setuid HOT 3
- Duo Unix 2.x RPM Digests on RHEL 8 with FIPS enabled HOT 7
- Feature request: behavior in situation of missing conf file and not member of groups directive HOT 4
- Bbbb
- More of a feature request, would like to have ,push# implemented like the Fortinet VPN module has HOT 2
- PAM_SUCCESS returned for non-duo users instead of PAM_IGNORE HOT 8
- /usr/sbin/login_duo returning no such file or directory after fresh install of duo HOT 1
- Manpages (login_duo/login_duo.8, pam_duo/pam_duo.8) hardcodes /etc instead of adjusting path according to --prefix
- Choice of the second factor should have a default value
- 8.8.8.8 DNS Server is hardcoded
- duo_unix not working with openssl 3.0.8 HOT 4
- Order of DUO Devices Displayed Incorrectly for Users with 10 or More Devices HOT 3
- Duo UNIX PAM module failing on AIX
- Wrong path for duo configuration file in duo_unix-2.0.3 HOT 4
- Autopush with password pushes prompt twice HOT 5
- https_init: result from `RAND_load_file` is unchecked
- Setting https_timeout does not invoke failsafe mode as documented
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from duo_unix.