Adoptable Cookbooks List

Looking for a cookbook to adopt? You can now see a list of cookbooks available for adoption!
List of Adoptable Cookbooks

Supermarket Belongs to the Community

Supermarket belongs to the community. While Chef has the responsibility to keep it running and be stewards of its functionality, what it does and how it works is driven by the community. The chef/supermarket repository will continue to be where development of the Supermarket application takes place. Come be part of shaping the direction of Supermarket by opening issues and pull requests or by joining us on the Chef Mailing List.

Select Badges

Select Supported Platforms

Select Status


duosecurity (21) Versions 2.1.0

Installs/Configures duosecurity two-factor system authentication on Ubuntu/Debian

cookbook 'duosecurity', '= 2.1.0', :supermarket
cookbook 'duosecurity', '= 2.1.0'
knife supermarket install duosecurity
knife supermarket download duosecurity
Quality 50%

duosecurity Cookbook


Installs and configures either
login_duo or
pam_duo depending on the attribute

You will need to configure sshd to make use of it. See the upstream
docs for information.


  • node["duosecurity"]["integration_key"] - Required. Integration key, recommended to set from an encrypted value.
  • node["duosecurity"]["secret_key"] - Required. Secret key, recommended to set from an encrypted value.
  • node["duosecurity"]["api_hostname"] - Required. API hostname for your Duo account.
  • node["duosecurity"]["groups"] - Optional. If specified, Duo authentication is required only for users whose primary group or supplementary group list matches one of the space-separated pattern lists.
  • node["duosecurity"]["failmode"] - Optional. On service or configuration errors that prevent Duo authentication, fail "safe" (allow access) or "secure" (deny access). The default is "safe".
  • node["duosecurity"]["pushinfo"] - Optional. Include information such as the command to be executed in the Duo Push message. Either "yes" or "no". The default is "no".
  • node["duosecurity"]["http_proxy"] - Optional. Use the specified HTTP proxy, same format as the HTTP_PROXY environment variable. (honored by wget, curl, etc.).
  • node["duosecurity"]["autopush"] - Optional. Either "yes" or "no". Default is "no". If "yes", Duo Unix will automatically send a push login request to the user's phone, falling back on a phone call if push is unavailable. If "no", the user will be prompted to choose an authentication method. When configured with autopush = yes, we recommend setting prompts = 1.
  • node["duosecurity"]["motd"] - Optional. Print the contents of /etc/motd to screen after a successful login. Either "yes" or "no". The default is "no". This option is only available for login_duo.
  • node["duosecurity"]["prompts"] - Optional. If a user fails to authenticate with a second factor, Duo Unix will prompt the user to authenticate again. This option sets the maximum number of prompts that Duo Unix will display before denying access. Must be 1, 2, or 3. Default is 3. For example, when prompts = 1, the user will have to successfully authenticate on the first prompt, whereas if prompts = 2, if the user enters incorrect information at the initial prompt, he/she will be prompted to authenticate again. When configured with autopush = yes, we recommend setting prompts = 1.
  • node["duosecurity"]["accept_env_factor"] - Optional. Look for factor selection or passcode in the $DUO_PASSCODE environment variable before prompting the user for input. When $DUO_PASSCODE is non-empty, it will override autopush. The SSH client will need SendEnv DUO_PASSCODE in its configuration, and the SSH server will similarily need AcceptEnv DUO_PASSCODE. Default is "no".
  • node["duosecurity"]["fallback_local_ip"] - Optional. Duo Unix reports the IP address of the authorizing user, for the purposes of authorization and whitelisting. If Duo Unix cannot detect the IP address of the client, setting fallback_local_ip = yes will cause Duo Unix to send the IP address of the server it is running on. If you are using IP whitelisting, enabling this option could cause unauthorized logins if the local IP is listed in the whitelist.
  • node["duosecurity"]["https_timeout"] - Optional. Set to the number of seconds to wait for HTTPS responses from Duo Security. If Duo Security takes longer than the configured number of seconds to respond to the preauth API call, the configured failmode is triggered. Other network operations such as DNS resolution, TCP connection establishment, and the SSL handshake have their own independent timeout and retry logic. Default is 0, which disables the HTTPS timeout.
  • node["duosecurity"]["install_type"] - Optional. Either "source" or "package". Defaults to "source" which will compile from source code and requires a working compiler (not managed by this cookbook).
  • node["duosecurity"]["package_file"] - Instead of installing package from DUO or OS repos, install the duo-unix package from the local file specified by this path.
  • node["duosecurity"]["use_pam"] - Optional. Either "yes" or "no". Default is "no". If "yes", Duo Unix will be setup as a pam module and ssh will be configured to use it rather than the login_duo binary. Requires OpenSSH 6.2+.
  • node["duosecurity"]["pam_directory"] - Path to install pam module in if enabled and built from source. Defaults to /lib/#{node['kernel']['machine']}-linux-gnu/security.
  • node["duosecurity"]["protect_sudo"] - Optional. Either "yes" or "no". Default is "no". If "yes", then Duo two-factor authentication will be used for the sudo command if use_pam is also yes.
  • node["duosecurity"]["use_duo_repo"] - Optional. Either "yes" or "no". Default is "no". If "yes", the apt repo will be added and latest version from the repo will be preferred if install_type is set to package.
  • node["duosecurity"]["first_factor"] - Optional. Either "pubkey", "password" or undefined. pubkey will alter sshd configuration to use public key auth as first factor. password will alter sshd configuration to use password as first factor. Leaving undefined will not set default ssh authentication configuration. Requires use_pam to be yes.
  • node["duosecurity"]["apt"]["keyserver"] - Optional. Override the default keyserver for the APT repository signing key.

Dependent cookbooks

ark >= 0.0.0
pam >= 0.0.0
sshd >= 0.0.0

Contingent cookbooks

There are no cookbooks that are contingent upon this one.

duosecurity CHANGELOG

This file is used to list changes made in each version of the duosecurity cookbook.

- [mattlqx] - Add attribute for location of pam module when installing from source.
- [mattlqx] - Add attribute to allow installing package from a local path.
- [mattlqx] - Bump duosecurity source version to 1.11.4.

- [mattlqx] - Update Duo repo GPG key source URL again.


  • [mattlqx] - Use built-in apt_update and build_essential resources. Require Chef 14+


  • [mattlqx] - Remove expired Duo repo GPG key and re-add.


  • [mattlqx] - Compatibility for Ubuntu 18.04 Bionic Beaver.


  • [mattlqx] - Bump to latest duo_unix version.
  • [whiteley] - Change metadata to support Chef 13.


  • [whiteley] - bump to latest duo_unix version


  • [mattlqx] - Add issues_url, chef_version to metadata.rb. Taken ownership of cookbook. 🤹🏻


  • [mattlqx] - Fix GPG keys for Duo Security package repo

Check the Markdown Syntax Guide for help with Markdown.

The Github Flavored Markdown page describes the differences between markdown on github and standard markdown.

Collaborator Number Metric

2.1.0 failed this metric

Failure: Cookbook has 0 collaborators. A cookbook must have at least 2 collaborators to pass this metric.

Contributing File Metric

2.1.0 failed this metric

Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of, and your repo must contain a file

Foodcritic Metric

2.1.0 passed this metric

No Binaries Metric

2.1.0 passed this metric

Testing File Metric

2.1.0 failed this metric

Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of, and your repo must contain a file

Version Tag Metric

2.1.0 passed this metric