DUO on Linux where you have the box joined to the domain

https://duo.com/docs/loginduo

     sudo cp 1_*.crt /usr/local/share/ca-certificates

     sudo update-ca-certificates --fresh

     wget https://dl.duosecurity.com/duo_unix-latest.tar.gz

     tar zxf duo_unix-latest.tar.gz

     cd duo...

     ./configure --prefix=/usr

     make

     sudo make install

     sudo nano /etc/duo/pam_duo.conf

    login_duo echo 'hi'

    

     /etc/pam.d/sshd

           auth sufficient /lib64/security/pam_duo.so

           auth required pam_deny.so

    

     https://duo.com/docs/duounix#pam-configuration

     https://help.duo.com/s/article/5085?language=en_US

     sudo nano /etc/ssh/sshd_config

     UsePAM yes

       ChallengeResponseAuthentication yes

       UseDNS no

        PasswordAuthentication no

           KerberosAuthentication no

           AuthenticationMethods password,keyboard-interactive

           # NOTE: THE DEFAULT IS TO HAVE KerberosOrLocalPasswd BE YES

           KerberosOrLocalPasswd no

    /etc/pam.d/system-auth

           auth    required                      pam_env.so

           auth    [success=1 default=ignore]    pam_unix.so nullok try_first_pass

           auth    required                      pam_sss.so  nullok use_first_pass

           auth    sufficient                    /lib64/security/pam_duo.so

           auth    requisite                     pam_succeed_if.so uid >=500 quiet

           auth    required                      pam_deny.so

     https://help.duo.com/s/article/4970?language=en_US  

     sudo nano /etc/pam.d/common-auth

           auth    required                      pam_env.so

           auth    [success=1 default=ignore]    pam_unix.so nullok try_first_pass

           auth    required                      pam_sss.so  nullok use_first_pass

           auth    sufficient                    /lib64/security/pam_duo.so

           auth    requisite                     pam_succeed_if.so uid >=500 quiet

           auth    required                      pam_deny.so

                    

     sudo /etc/init.d/ssh  restart

     https://duo.com/docs/duounix-faq#troubleshooting

           cd /usr/sbin

           sudo chmod +x ./duo_unix_support.sh

           sudo ./duo_unix_support.sh

      

     https://help.duo.com/s/article/4207?language=en_US

           How do I use the Duo Certificate Verification Utility (acert) to verify my certificate chain