accept_env_var or accept_env -- which one is correct?

[shinji257]

The source code uses accept_env but the man page says accept_env_var. Which one should be correct for using DUO_PASSCODE env variable.

EDIT: In either case pam complains that the option isn't valid... :(

[ben-duo]

Try the config option accept_env_factor. Sorry -- there was a typo in the pam-duo.8 man page in 1.9.4. Thanks for the catch!

[shinji257]

Yes I noticed that after poking around the code. Is there any way to extend this to work at SSH login? It seems to only work locally (eg with sudo).

[dadrian]

This does work with SSH, you just need to configure sshd to AcceptEnv DUO_PASSCODE and your ssh client to SendEnv DUO_PASSCODE. We updated the website for this, it just isn't quite live yet. :(

[shinji257]

This isn't working for some reason for me then. I set it up and setup PuTTY to send the environment but it doesn't react to it. I can confirm that the server got it though because I can echo it back once logged in. Does this work for pam_duo? That's what I'm using. Might make a difference. If there is any additional config I need to do in pam let me know please since I might just be overlooking something.

[ben-duo]

It appears the accept_env_factor feature is not actually implemented for pam_duo because the necessary environment variables are not available to it. I've removed the entry from the man page.

Do you need passcode support specifically? Would autopush work instead?

Thanks again for finding this issue and apologies for the inconvenience.

[shinji257]

I have it configured to autopush which leads up to another issue report I'll file seperately (reason I wanted to use the override)

Now then I have a side question that's somewhat related. Doesn't sudo/su use pam? I was able to override it locally when I did those commands. Or is it a matter of that it is unavailable to pam during authentication?

[ben-duo]

I believe the problem was that the SSH server does not read environment variables from the client until after PAM authentication completes.