Cannot synchronize MFA user to linux device
Article ID: 274483
Updated On:
Products
Issue/Introduction
Cannot synchronize the password for a linux user, this user authenticates by keys. When the user logs on, he is presented with a two-factor login prompt:
...
Enter a passcode or select one of the following options:
1. Duo Push to +XX XXX XXX NNNN
2. SMS passcodes to +XX XXX XXX NNNN
Environment
Applies to any PAM release.
Cause
The PAM UNIX connector cannot handle MFA, particularly it it involves retrieving a passcode from a specific user's phone line.
Resolution
Accounts that require MFA involving messages/codes sent to a personal phone should be managed by the users they belong to. A private key could be stored by the user as a Secret in PAM. For accounts managed by PAM the MFA option should be disabled. The password can be configured to be rotated by PAM automatically after each view to eliminate the risk of a previously retrieved password ending up in the wrong hands.
Feedback
