Open EricHorst opened 2 months ago
@EricHorst Based on my reading of the setting https://duo.com/docs/duounix#duo-configuration-options, I believe you are describing a slightly different scenario than what https_timeout
affects.
If Duo Security takes longer than the configured number of seconds to respond to the preauth API call, the configured failmode is triggered. Other network operations such as DNS resolution, TCP connection establishment, and the SSL handshake have their own independent timeout and retry logic.
The way I read that is, this timeout only applies if the connection to Duo is made, but the response does not occur within the timeout. A delay in reaching Duo to establish the connection will not trigger this timeout. Unfortunately we don't appear to have a timeout control that covers that scenario. This config option could be named more clearly, something like "duo_timeout" would have been more descriptive.
For pam_duo, setting https_timeout does not invoke failmode as documented. Failmode is never invoked if the Duo API is unreachable and times out.
This makes it impossible to configure pam_duo to fail "safe" in cases where network connectivity is impaired.
Description
The documentation for
https_timeout
says the following which is incorrect:In the case where the HTTPS connection to Duo Security times out, no failmode is triggered.
Expected Behavior
One configures
failmode = safe
andhttps_timeout = 10
. In this case if Duo API is unreachable for 10 seconds then the safe failmode should be invoked and pam_duo should log failmode access and return pam SUCCESS.Actual Behavior
One configures
failmode = safe
andhttps_timeout = 10
. There is no error logged and no failmode invoked. pam_duo simply fails.Steps to Reproduce
failmode = safe
andhttps_timeout = 10
Workarounds
None possible.