pam_duo with MacOSX for Duo 2 Factor Auth via SSH

(updated: 20230328 : just verified this still works with the latest 2.0 version of pam_duo UNIX.  Go Duo) 

Today I decided the duo_unix.so was just so so and I needed something more.  Being a fan of DuoSec I decided it was time to determine how to get pam_duo.so to work on my Mac.

• First, I started by checking out the code and reading their documentation online.
• Next I made sure that my XCODE was in good order and I had the command line tools and library installed.
• I then downloaded the latest released package

curl -LO https://dl.duosecurity.com/duo_unix-latest.tar.gz

• It was time to build, but I needed a few requirements.  Specifically I needed the openssl libraries as Apple has their own SSL (Common Crypto).  I had to install those.  I use brew, so my attempt was simple

brew install openssl

• Then, it was all about configuration of the make. IYou will see I  used a poor --with-pam prefix as it should have been /usr/local/lib or /usr/local/libexec but this is to your preference.   Remember, /usr is protected by Apple's gatekeeper so you will have to deviate from the defaults.  

./configure --with-pam=/usr/local --prefix=/usr/local --with-openssl=/usr/local/opt/openssl

• make and make install dropped all the pieces in place (as root/sudo of course)
• Then, I followed the documentation on Duo's site and referenced my library for the pam_duo.so file explicitly.  My line was

auth       required       /usr/local/pam_duo.so

Enjoy as now I can ssh as any user and get asked for duo.  If the user is not setup with a Duo account, it politely tells me so.   What I didn't verify is if the brew version of duo_unix supported the pam module, as I thought it was just for the login_unix which is not very flexible.