Multi-Factor Authentication for ssh with Duo Security

Some time ago we realized general ssh access was increasingly becoming a security vulnerability. At some sites I’d witnessed a near non-stop stream of dictionary attacks. For large organizations, supporting many logins, it was no longer possible to offer offsite ssh without another layer of security like a VPN or the use of a IPS/IDS. Unfortunately these implementations were often complicated to install, adopt, and use, and additionally cost prohibitive and impractical for smaller organizations or home use. There are some excellent projects like Denyhosts and a variety of measures one can take to make ssh more secure, yet ultimately a sound site instilled with a modern security model will offer multiple layers of security.

Multiple layers of security for ssh is otherwise called Multi-Factor authentication. This has typically been an expensive and complicated operation requiring some sort of commercial, enterprise grade hardware and low level operating system configuration. There’s also the issue of whether the security solution at hand is easy enough for legitimate participants to use.

So enter Duo Security. At the time of this writing their front page boasts “Simple 15 minute setup” and “No hardware or software required.” Additionally their Pricing page notes “Up to 10 users Free!” Since I’m a big fan of free-teir and always looking for a means to enhance security and test claims like “simple 15 minute setup” I was obliged to investigate further. What is most attractive about this project is the variety of means to deliver token authentication without additional hardware. That is, messaging is done to a (mobile) phone via text, app, or computerized phone call. So theoretically this could be done via landline or without a “phone” at all using Skype or Google Voice.

This post then is a quick instructional as to how I accomplished this very simple and inexpensive multi-factor enhancement. This discussion will involve ssh specifically, and adds a section on using a Match block in an sshd configuration to bypass the additional authentication for a local (or other friendly) network. Note that Duo Security not only serves ssh authentication but also web based applications in languages like PHP, Python, Ruby and others. Some really simple solutions are offered for WordPress and Drupal CMS, and Juniper, Cisco, and SonicWall VPNs.

More detailed instructions (recommended) are available at the Duo Security website.

1. Identify SSH configuration: Verify which files are involved in the SSH configuration and that making modifications to the running sshd will not disturb ongoing functionality. In other words, be careful of locking yourself out. In many cases, as it is with Fedora (and related) Linux, SSH configuration is /etc/ssh/sshd_config

2. Install pre-requisites for login_duo:

yum install gcc libcurl curl-devel openssl-devel

3. Build login_duo:

tar -xvzf duo_unix-1.6.tar.gz
./configure; make; make install

4. Test configuration:

/usr/local/sbin/login_duo echo FOO

5. Optional – Use Match block in SSH configuration to bypass login_duo for local or friendly networks:

ACHTUNG: Some Linux distros ship with a backport of openssh and ‘Match’ is not available. Please see ‘REBUILD OPENSSH’ below for details.

Note: This must be the very last line in the SSH configuration. There is no closing block.

Match Address *,!
ForceCommand /usr/local/sbin/login_duo

Note (other): Here’s a discussion regarding how Match may be used to disable ForceCommand:

Note (another): Also, from the sshd_config manual page:

The match patterns may consist of single entries or comma-separated lists and may use the wildcard and negation operators described in the PATTERNS section of ssh_config.


Follow the instructions at but use this site for downloading source, etc.

Packaging OpenSSH on CentOS