We just deployed a single server solution and noticed the dual 2FA push in order to authenticate. I’ve read through the Google Authenticator method of handling the dual 2FA prompts with Master/Agent. Is there also a solution for Cisco DUO MFA to only prompt one time?
Certainly, not a deal; breaker but it would be simpler for our users. Thanks. As I mentioned, both Master and Agent are running on a single system.
@RobertHenschel Do you have any insight that you can share in regard to Duo?
Kind regards,
Martin
I don’t have a good solution if you are only using one server that is master and agent. If you can use two servers, then you can configure the authentication methods differently on master and the agent. You can configure DUO in PAM so that it is used on the master but not on the agent. Users cannot make a direct connection to the agent without going through the master, so this should be fine from a security point of view, assuming sshd is configured so that it doesn’t allow for any other connections.
Since the master really doesn’t need many resources, you could offload it into a VM with just 2 cores and few GB of memory. Just a thought…
Thanks, that could be an option moving forward. I appreciate the knowledge transfer. We’d have to restrict ssh logins directly to those hosts somehow so that you had to go through the master node only.
This is how I restrict normal SSH logins for all users, except for those in my super cool groups.
/etc/ssh/sshd_config.d/60-forcecommand.conf
Match Group *,!superadmin,!hpc_admins,!cendio
ForceCommand /sbin/thinlinc.sh
And /sbin/thinlinc.sh
#!/bin/bash
thinlinc-login -c "${SSH_ORIGINAL_COMMAND}"
Hope it can help you move forward.
Kind regards,
Martin
Thank you @RobertHenschel and @Martin, I really appreciate the knowledge transfer. The ssh restriction is really useful to add to my “bag of tricks” since sssd restrictions apply to more than just ssh logins. I really appreciate the time.