Právě si prohlížíte Duo Security 2FA na Proxmox VE

Duo Security 2FA na Proxmox VE

Vytvořte soubor /etc/apt/sources.list.d/duosecurity.list s tímto obsahem:

deb https://pkg.duosecurity.com/Debian bookworm main

Stáhněte GPG klíč pro Duo repository a nahrajte do systému.

wget https://duo.com/DUO-GPG-PUBLIC-KEY.asc
mv DUO-GPG-PUBLIC-KEY.asc /etc/apt/trusted.gpg.d

Nainstalujte Duo Security:

root@janus:/etc/apt/trusted.gpg.d# apt-get update && apt-get install duo-unix
Get:1 http://security.debian.org trixie-security InRelease [43.4 kB]
Hit:2 http://ftp.cz.debian.org/debian trixie InRelease
Get:3 http://ftp.cz.debian.org/debian trixie-updates InRelease [47.1 kB]
Get:4 http://security.debian.org trixie-security/main amd64 Packages [11.6 kB]
Hit:5 http://download.proxmox.com/debian/pve trixie InRelease
Ign:6 https://pkg.duosecurity.com/Debian bookworm InRelease
Get:7 https://pkg.duosecurity.com/Debian bookworm Release [2,047 B]
Get:8 http://security.debian.org trixie-security/main Translation-en [10.6 kB]
Get:9 https://pkg.duosecurity.com/Debian bookworm Release.gpg [862 B]
Get:10 https://pkg.duosecurity.com/Debian bookworm/main amd64 Packages [743 B]
Fetched 116 kB in 3s (41.1 kB/s)
Reading package lists... Done
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following package was automatically installed and is no longer required:
  proxmox-kernel-6.8.12-11-pve-signed
Use 'apt autoremove' to remove it.
The following NEW packages will be installed:
  duo-unix
0 upgraded, 1 newly installed, 0 to remove and 19 not upgraded.
Need to get 184 kB of archives.
After this operation, 562 kB of additional disk space will be used.
Get:1 https://pkg.duosecurity.com/Debian bookworm/main amd64 duo-unix amd64 2.1.0-0 [184 kB]
Fetched 184 kB in 1s (191 kB/s)
Selecting previously unselected package duo-unix.
(Reading database ... 81355 files and directories currently installed.)
Preparing to unpack .../duo-unix_2.1.0-0_amd64.deb ...
Unpacking duo-unix (2.1.0-0) ...
Setting up duo-unix (2.1.0-0) ...
Processing triggers for man-db (2.13.1-1) ...

V administraci Dua vytvořte další aplikaci.

Upravte soubor /etc/duo/pam_duo.conf


[duo]
; Duo integration key
ikey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
; Duo secret key
skey = yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
; Duo API host
host = zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
; `failmode = safe` In the event of errors with this configuration file or connection to the Duo service
; this mode will allow login without 2FA.
; `failmode = secure` This mode will deny access in the above cases. Misconfigurations with this setting
; enabled may result in you being locked out of your system.
failmode = safe
; Send command for Duo Push authentication
;pushinfo = yes

Otestujte, že Duo ověřuje:

root@janus:/# /usr/sbin/login_duo
Autopushing login request to phone...
Login request denied.
Duo two-factor login for petr.santrucek@exterra-services.cz

Enter a passcode or select one of the following options:

 1. Duo Push to +XXX XXX XXX 787
 2. SMS passcodes to +XXX XXX XXX 787

Passcode or option (1-2): 1

Pushed a login request to your device...
Success. Logging you in...

Nyní je třeba aktivovat 2FA u uživatelů PVE.

Vyberte uživatele a z autentikátoru na mobilu zadejte kód.

Pokud vše proběhne v pořádku, objeví se uživatel s 2FA autentikací.

A teď test přihlášením:-)

Pokud vše proběhlo OK, jste uvnitř:-)

Nyní by asi bylo dobré defaultnímu uživateli root na PVE změnit heslo na opravdu silné a komplexní a používat pouze uživatele s 2FA.

Nezapomeňte, že instalaci Duo Security musíte provést na všech nodech clusteru!