This guide demonstrates how to set up 2FA using DUO – https://duo.com. This is just an example, you may use any other 2FA software.
On DUO website #
Step 1 #
Please create an account inside duo.com – free tier allows you to create up to 10 users.
Step 2 #
For IOS/Android: Download from App Store/Google Play app named Duo Mobile
Step 3 #
Open Duo Mobile, and press + symbol located in top right corner and scan the QR code from Duo website:
Step 4 #
Inside the DUO dashboard, create a new user which you are using to login into your server:
Step 5 #
Now add your phone:
Step 6
Follow the instruction on the screen to activate your phone:
Step 7 #
Generate your QR code:
Step 8 #
Send activation instructions via SMS:
Step 9 #
Now open your text app on your phone and click the activation link. DUO will open it and activate your app.
Step 10 #
Create a new Application that you want to protect.
Step 11 #
Type “UNIX App” and click on it.
Step 12 #
Now copy all the keys into your notepad
Step 13 #
Scroll down to the settings and fill it up
On your server #
Step 14 #
Make sure you’ve installed Development Tools:
$ sudo yum group install "Development Tools"
Step 15 #
Download the DUO source and unpack it:
$ wget https://dl.duosecurity.com/duo_unix-latest.tar.gz $ tar xfz duo_unix-latest.tar.gz $ cd duo_unix-*
Step 16 #
Now compile source and install app:
$ ./configure --with-pam --prefix=/usr && make && sudo make install
Step 17 #
Edit now /etc/duo/login_duo.conf file and fill with the copied codes from your notepad.
Step 18 #
Test now your DUO. If you received 2FA request to your phone, and it’s working, you can proceed to next step
$ /usr/sbin/login_duo
Step 19 #
Add DUO layer to your SSH config:
$ echo “ForceCommand /usr/sbin/login_duo” >> /etc/ssh/sshd_config
Step 20 #
Now copy our integrated key & secret key & host to /etc/login_duo.conf
Step 21 #
Restart your SSH daemon:
CentOS
$ service sshd restart
Debian/Ubuntu
$ service ssh restart