Hello @kopbran,
Looking at some documentation from Duo the pam_duo.conf needs to be only readable by root, so group access will not help and you'd really not want to have the sas account in the root group. Also elssrv, sasauth, and sasperm do not help in this situation as the Java process for SAS Logon Manager is the one that needs to read the pam_duo.conf file. Long-term the Authentication Proxy is the approach that would be supported and recommended.
Alternatively, I'd state again that this is not recommended and is very likely to cause issues with your environment. But given you have stated this is a proof-of-concept environment and will be removed shortly, you could do the following:
1. Edit the /etc/init.d/sas-viya-saslogon-default file and change both SASUSER=root & SASGROUP=root
2. Run systemctl daemon-reload to update SystemD
3. Stop SAS Logon Manager with systemctl stop sas-viya-saslogon-default
4. Start SAS Logon Manager with systemctl start sas-viya-saslogon-default
This should allow you to test your Duo integration.
At a bare minimum this will leave some files owned by root that will cause issues when you switch back to running SAS Logon Manager as the sas account. It also opens up the possibility of your entire system being compromised if SAS Logon Manager is compromised.
Thank you for your time.
Stuart
... View more