NAMEpam_duo - PAM module for Duo authentication
DESCRIPTIONpam_duo provides secondary authentication (typically after successful password-based authentication) through the Duo authentication service.
OPTIONSOnly one PAM module configuration option is supported: conf Specify an alternate configuration file to load.
CONFIGURATIONThe INI-format configuration file must have a ''duo'' section with the following options: ikey Duo integration key (required). skey Duo secret key (required). group Skip Duo authentication for users not in a specific Unix group. minuid Skip Duo authentication for users below a specified user ID. failmode On service or configuration errors that prevent Duo authentication, fail ''safe'' (allow access) or ''secure'' (deny access). Default is ''safe''. host Override Duo API host for debugging. An example configuration file: [duo] ikey=SI9F...53RI skey=4MjR...Q2NmRiM2Q1Y minuid=500 Other authentication restrictions may be implemented using pam_listfile(8), pam_access(8), etc.
FILES/etc/duo/pam_duo.conf Default configuration file path
AUTHORSpam_duo was written by Duo Security <firstname.lastname@example.org>
NOTESWhen used with OpenSSH's sshd(8), only PAM-based authentication can be protected with this module; pubkey authentication bypasses PAM entirely. OpenSSH's PAM integration also does not honor an interactive pam_conv(3) conversation, prohibiting real-time Duo status messages (such as during voice callback). PAM_DUO(8)