Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for hostnames with multiple IP addresses with automatic fallback? #309

Open
martinvonwittich opened this issue Jan 9, 2025 · 0 comments
Open

Support for hostnames with multiple IP addresses with automatic fallback? #309

martinvonwittich opened this issue Jan 9, 2025 · 0 comments

Comments

@martinvonwittich
Copy link

martinvonwittich commented Jan 9, 2025
edited
Loading

I would like pam_duo to support hostnames with multiple IP addresses in the host setting in /etc/security/pam_duo.conf, so that pam_duo first sends the request to a randomly chosen IP address of this list (DNS round robin), and if that request fails with a connection error, pam_duo should proceed to iterate over the remaining IP addresses and try each IP address in turn. This should provide redundancy in case some, but not all authentication servers do not work.

Detailed Description

We run pam_duo on our servers with the following configuration:

martin ~ # cat /etc/security/pam_duo.conf
[duo]
ikey = <fully qualified hostname>
skey = <key>
host = auth.company.tld
cafile = <path to CA certificate>
failmode = secure

auth.company.tld resolves to two IP addresses for our two separate auth servers auth1.company.tld and auth2.company.tld that proxy the requests to Duo:

martin ~ # host auth.company.tld
auth.company.tld has address 1.2.3.4
auth.company.tld has address 5.6.7.8

We had expected that this configuration should provide redundancy in case one of our authentication servers fails. Today one of those servers did fail because a faulty maintenance script that accidentally replaced the correct server certificate (signed by our CA certificate) with a Let's Encrypt certificate, which pam_duo obviously wouldn't accept because it's not signed by our CA. This failure resulted in the following error on each authentication attempt:

Jan  9 07:49:47 client sshd[1455334]: Partial publickey for some.user from <IP address> port 56175 ssh2: ED25519 SHA256:<fingerprint>
Jan  9 07:49:47 client sshd[1455340]: Failsecure Duo login for 'some.user' from <IP address>: Couldn't connect to auth.company.tld: certificate verify failed
Jan  9 07:49:47 client sshd[1455334]: error: PAM: Error in service module for some.user from <IP address>
Jan  9 07:49:47 client sshd[1455334]: Failed keyboard-interactive/pam for some.user from <IP address> port 56175 ssh2
Jan  9 07:49:50 client sshd[1455334]: Connection closed by authenticating user some.user <IP address> port 56175 [preauth]

Apparently pam_duo only resolves the hostname to a single IP address (probably a random one of the list?), and if it can't connect to this IP, the authentication will fail.

Use Case

Support for iterating over all IP addresses of a hostname would provide redundancy in case one of the authentication servers fails.

Workarounds

Currently, our setup doesn't provide redundancy like we had hoped.

We are considering to work around the issue by calling pam_duo from PAM with different conf= arguments and separate configuration files, where each configuration file contains one of the auth.company.tld IP addresses.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@martinvonwittich