Hi all I'd like to ask if duo 2fa would be an interesting for the GUI to implement natively. In the meantime this is my shortcut on how to do it on Ubuntu16.
(Of course you need a duo.com account, a registered app, and every user used must be enrolled, and confirmed). This shouldn't lock ssh out of the system AFAIK.
Best, Manu
echo "deb http://pkg.duosecurity.com/Ubuntu xenial main" > /etc/apt/sources.list.d/duosecurity.list
curl -s https://duo.com/APT-GPG-KEY-DUO | sudo apt-key add -
apt-get update && apt-get install duo-unix
apt install libauthen-pam-perl
mv /etc/pam.d/webmin /etc/pam.d/webminBAK
cat > /etc/pam.d/webmin << EOF
#%PAM-1.0
#@include common-auth
auth requisite pam_unix.so nullok
auth [success=1 default=ignore] /lib64/security/pam_duo.so
auth requisite pam_deny.so
auth required pam_permit.so
@include common-account
@include common-password
@include common-session
EOF
cat /etc/pam.d/webmin
cat > /etc/duo/pam_duo.conf <<EOF
[duo]
; Duo integration key
ikey = --insertikey--
; Duo secret key
skey = --insertskey--
; Duo API host
host = --inserthost--
; Send command for Duo Push authentication
;pushinfo = yes
autopush = yes
EOF
systemctl restart webmin