Package: login-duo Version: 1.11.3-1 Severity: minor Dear Maintainer,
The login_duo man page states that its default configuration file is /etc/duo/login_duo.conf. However, it appears to by default look in /etc/security/login_duo.conf. This is confusing to a new user who installs the configuration file in /etc/duo/login_duo.conf. When login_duo can't find its configuration file, it "fails open", allowing users to proceed with their login action without checking the second factor, so it is important that the configuration file be installed correctly. Here is an example terminal session demonstrating the problem: $ login_duo -f jackhill Missing host, ikey, or skey in /etc/security/login_duo.conf $ logout $ login_duo -f jackhill -c /etc/duo/login_duo.conf Duo two-factor login for jackhill Enter a passcode or select one of the following options: 1. Phone call to XXX-XXX-2576 2. SMS passcodes to XXX-XXX-2576 (next code starts with: 2) Passcode or option (1-2): 1 Calling your phone... Dialing XXX-XXX-2576... Answered. Press any key on your phone to log in. Success. Logging you in... $ -- System Information: Debian Release: 11.0 APT prefers testing-security APT policy: (500, 'testing-security'), (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-7-amd64 (SMP w/1 CPU thread) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages login-duo depends on: ii libc6 2.31-12 ii libduo3 1.11.3-1 ii openssh-server 1:8.4p1-5 login-duo recommends no packages. login-duo suggests no packages. -- no debconf information
