> From: Erik Anderson [mailto:[email protected]] > > Slightly tangential to this topic: I've implemented Duo on our test > *nix/*BSD servers to protect SSH. This was easy enough. The main > problem I've run into is that Duo completely breaks Ansible's ability > to properly execute playbooks on the hosts. Has anyone found a way > around this? > > Sure, I could create a separate user for ansible which is exempted > from Duo, but I'd rather not do that if it could be avoided.
Yup. There are a bunch of ways to approach it. (At least three, that we use at work). 1. If your version of sshd supports Match, you can add a section at the end of sshd_config: Match User *,!sudouser Blahblah use duo. This would allow "sudouser" to bypass duo. 2. I'm fuzzy on the details here, because I don't have access to our duo servers, but under some circumstances, they will enter a specific user into the duo servers, to bypass. 3. I'm also fuzzy here, but in your client, /etc/login_duo.conf, you have a secret key. This is used to identify which profile, or configuration, or whatever it's called, that the server uses. I don't know the exact capabilities they have, but I know for some systems, we enter a secret key that corresponds to a profile, in which, duo is automatically bypassed because the user is coming from a VPN where they already had to duo in order to get on the VPN. I'm guessing duo bypass by network segment isn't the only criteria you can use to get duo bypass. _______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
