Duo

Duo integrates with a wide range of devices and applications. See below for detailed documentation, installation, and configuration information for each.

Duo in ICS

ICS Computing Support is using Duo multifactor authentication for sensitive systems management tools. Duo has not been deployed for ICS users areas yet. Please contact ICS Helpdesk if you are interested in using Duo on ICS systems or on your own research equipment.

Connecting to Bastion Hosts

Duo MFA settings on certain bastion or gateway hosts has been configured to accept the use of a DUO_Passcode in order to provide service to users with hardware tokens and poor phone connectivity.

At this time, changes have been made to emp.ics.uci.edu only.

If you are required to use a passcode when connecting to a bastion host, please setup ssh keys in order to login to other ICS hosts without using DUO MFA.

Duo Passcode

Users may force the old behavior, an auto push to their phone or tablet ap, by setting and exporting the following variable:

DUO_PASSCODE=push

Unfortunately, there is no longer a way to skip MFA entirely when using ssh keys on bastion hosts.

Announcement

Beginning in early June 2019, in order to accommodate Duo hardware tokens and poor phone reception, users that are enrolled in Duo will be presented with the following menu when logging in:

Duo two-factor login for ____

Enter a passcode or select one of the following options:

 1. Duo Push to XXX-XXX-XXXX
 2. Duo Push to Android

Passcode or option (1-2): 
  • Users that use the Duo app should choose option 1 to continue to have Duo push to their phone.
  • Users that will use a hardware token or phone app passcode can simply enter it now.

Note about ssh-keys: All users logging into emp.ics.uci.edu will receive this prompt regardless of whether or not they are using ssh-keys. At this time we only expect to make this change on emp.ics.uci.edu and multi factor authentication prompts will not appear on other hosts for users using ssh-keys.

SendEnv DUO_PASSCODE per Application

MacOSX or Any Linux SSH Client

Inn your environment, set DUO_PASSCODE variable (Linux /bin/bash shown):

export DUO_PASSCODE=push

Add the following to ~/.ssh/config or /etc/ssh/ssh_config:

SendEnv DUO_PASSCODE

Note that the above has already been added to all ICS CentOS7 hosts.

Directly from the SSH cli

Use the -o SendEnv=DUO_PASSCODE option:

ssh -o SendEnv=DUO_PASSCODE user@emp.ics.uci.edu
Putty

Navigate to Connection→Data

  • Enter variable as DUO_PASSCODE
  • Enter value as push

Duo Software Token Setup

Please go to this setup guide. This page has information for doing the initial setup, testing of the token, downloading backup codes, and removing your token.

You may want to follow our instructions for setting up a secondary device or replacing your primary device used for Duo authentication.

Setup Secondary Device/Replace Primary Device for Authentication

Use this link to get to the setup site for Duo.

  1. After logging in, click on the “Software Token Registration” link.
  2. You will see the following screen if you have previously setup Duo already.
    • It is tempting and intuitive to click on “Send Me a Push” but don't do it.
  3. Click on “Add a new device” on the left hand side.
    • Choose the authentication device and then click on “Enter a Passcode” or “Send Me a Push”
      • If you want to use a passcode, open up the Duo app on your smart device and click on University of California, Irvine to reveal code.
  4. Now it is just a matter of setting up your device so follow the steps.

Change Duo Settings

Use this link to get to the setup site for Duo.

  1. To change the Duo settings such as removing an old device or setting up the Default Device, click on “My Settings & Devices” after logging in.
    • Do not click on “Enter a Passcode” or “Send Me a Push” as that will just annoy you with repeated authentication requests and not get you anywhere.
  2. You will see a list of all devices you have registered.
    • For “Default Device”, choose the one you have on hand most of the time.
    • The secondary device is only sent a push after you make it the “Default Device”. A secondary device helps to avoid having to call OIT if you lose your primary device.
    • For “When I log in”, the OIT guy prefers to set “Ask me to choose an authentication method”.
      • You can choose to enter a passcode or send a push when you login to UCI WebAuth.
      • You can also choose to “Remember you” for 24 hours.
        • The remember you is browser dependent. So if you had done it for Firefox but then went to UCI WebAuth on Chrome/Safari/Internet Explorer, you will have to Duo authenticate again.

Duo Off the Grid

It's not possible to be connected all the time. Use a software token in cases when your cell phone is not connected to any wifi or provider network. The token is a 6 digit number that will display in your duo phone app by clicking on the key icon.

Other Duo Settings

You will notice at the top of the webpage that there are four menu items at the top.

  • Enrollment
  • Test Token
  • WebAuth Opt-In
  • Office 365 Opt-In

Right now, you will not be prompted when you login to WebAuth even with Duo setup. This will likely change come Fall 2019 as OIT will require that as a default. You can opt-in to be prompted in advance. The same goes for the Office 365 login.

Duo Request

Hostname

Enter as many hostnames (fqdn) as you wish to have duo keys for. One per line

System Service

Typically for Linux systems, you will choose Unix SSH

Unenrolled User Policy

Choose Allow Access if you wish to allow users that have not set up Duo to be able to login.

Choose Deny Access to prevent logins unless they have Duo setup.

Configuration information format

Leave it as Simple Format

Troubleshooting

Q. Required vs. Optional Duo/Two factor

This problem needs to be fixed by computing support and a request to OIT.

Duo Host certificates come in two flavors

  • Required Two Factor
  • Opportunistic Two factor

In the first case, the user MUST use two factor authencation in order login to the system. If the user does not have a duo multi factor key then the user will not be able to login to the system.

In the second case, the user MAY use two factor authentication. If the user has Duo setup then the user will be prompted. If the user has not setup Duo then they will not be.

This is the error you would see in the log if a server you set to Allow Access doesn't behave correctly:

Aborted Duo login for '<user>' from oat.ics.uci.edu: Access Denied. The username you have entered cannot authenticate with Duo Security. Please contact your system administrator.

Q. Locked Out

You can find logs like this in /var/log/secure for the server that the user is attempted to access:

Mar 26 08:59:05 addison-v4 sshd[31254]: Aborted Duo login for 'luser' from vcv077012.vpn.uci.edu: Your account has been locked out due to excessive authentication failures. Please contact your administrator.

They need to contact the OIT helpdesk to unlock their account:

<code> Please open a ticket and make sure to provide your mobile number in your request. If you're unable to open a ticket, you can email us at oit@uci.edu or give us a call at 949-824-2222. <code>

Users can test their token and see if they are locked out.

Q. Aborted Duo login for 'xhx' from *.ics.uci.edu: No default factor found for automatic login

User need to finish up Duo signning up process. check https://applications.oit.uci.edu/DuoSupportDesk

accounts/security/twofactorauthentication/duo.txt · Last modified: 2019/07/22 09:57 by hans
CC Attribution-Noncommercial-Share Alike 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0