Cannot synchronize the password for a linux user, this user authenticates by keys. When the user logs on, he is presented with a two-factor login prompt:
...
Enter a passcode or select one of the following options:
1. Duo Push to +XX XXX XXX NNNN
2. SMS passcodes to +XX XXX XXX NNNN
Applies to any PAM release.
The PAM UNIX connector cannot handle MFA, particularly it it involves retrieving a passcode from a specific user's phone line.
Accounts that require MFA involving messages/codes sent to a personal phone should be managed by the users they belong to. A private key could be stored by the user as a Secret in PAM. For accounts managed by PAM the MFA option should be disabled. The password can be configured to be rotated by PAM automatically after each view to eliminate the risk of a previously retrieved password ending up in the wrong hands.