These instructions explain how to install Duo on a stock system. The Information Security Office (ISO) encourages you to share advanced configurations with the Stanford Linux users community.

Installation instructions

1. Before you install Duo, create a verified recoverable backup of the server (strongly recommended).
2. Obtain your API keys (integration key and secret key) and Duo API hostname, which you need to integrate with the Stanford University Duo installation. You can either generate the keys and hostname yourself or submit a request for them.
   • To generate the keys and hostname yourself:
     • Authenticate yourself via Kerberos (i.e., kinit) if you have not already done so.
     • Install wallet if you have not already done so.
     • Run the following command, where “yourcomputer.domain.com” is replaced with the fully-qualified domain name of the node:

       wallet get duo-pam yourcomputer.domain.com
       [duo]
       ikey = aq1sw2de3fr4gt5hy6ju7ki8lo9
       skey = 1qaz2wsx3edc4rfv5tgb6yhn7ujm8ik
       host = api-123456789.duosecurity.com

3. Install the prerequisite software, OpenSSL and libpam (relevant installation instructions for Linux systems are excerpted below from the Duo website at duo.com/docs/duounix):
   • For Ubuntu and Debian:

     apt-get install libssl-dev libpam-dev

   • For Red Hat and CentOS:

     yum install openssl-devel pam-devel
     

4. Download Duo for Unix (this requires an Internet connection):

   wget https://dl.duosecurity.com/duo_unix-latest.tar.gz
   tar zxf duo_unix-latest.tar.gz
   

5. Install Duo with PAM from inside the Duo folder:

   cd duo_unix-*
   ./configure --with-pam --prefix=/usr && make && sudo make install
   

6. Edit your /etc/ssh/sshd_config file to include the following lines:

   ChallengeResponseAuthentication yes
   PasswordAuthentication yes
   UsePAM yes
   

7. Edit your PAM configuration to match the recommendations for your distribution. You can find per-distribution PAM settings at duo.com/docs/duounix.This is an example of how your /etc/pam.d/common-auth file could look:

   auth    [success=2 default=die]    pam_krb5.so minimum_uid=1000
   auth    [success=2 default=die]    pam_unix.so nullok_secure try_first_pass
   
   auth    requisite            pam_deny.so
   
   auth    required            pam_duo.so
   auth    required            pam_permit.so
   
   auth    optional            pam_afs_session.so
   

   Note: This example is intended for systems authenticating with Kerberos. The last line is used to auth against afs. If you are not running afs, the last line is probably not needed.

8. Edit API host and keys /etc/duo/pam_duo.conf (or /etc/security/pam_duo.conf, depending on your distro) and insert the values from step 2.
   Example:

   [duo]
   ; Duo API host
   host = api-123456789.duosecurity.com
   ; Duo integration key
   ikey = aq1sw2de3fr4gt5hy6ju7ki8lo9
   ; Duo secret key
   skey = 1qaz2wsx3edc4rfv5tgb6yhn7ujm8ik
   

9. Restart SSH.
10. Ensure that you can SSH in from a new session, to avoid getting locked out.
11. If you can SSH to the system and are prompted to use Duo, installation is complete.