Autopush with password pushes prompt twice

[tilghman]

Description

When pam_duo.conf specifies autopush, and the sshd AuthenticationMethods include a combination of "password,keyboard-interactive", Duo pushes the request twice before authentication can succeed. This does NOT occur if a publickey is offered and authenticates. Also, turning off autopush similarly allows a single push to authenticate the user.

We are currently running RHEL 7 and RHEL 9, with the behavior observable on both. RHEL 7 is likely less of a concern, as it reaches EOL in under 60 days.

Expected Behavior

When autopush is turned on in combination with a password, Duo should authenticate the user after a single push.

Actual Behavior

Two pushes are sent to the user device, after which authentication succeeds.

Steps to Reproduce

1. Configure sshd_config with AuthenticationMethods set to "publickey,keyboard-interactive password,keyboard-interactive" (order of these options does not change the result).
2. Configure autopush=yes in /etc/duo/pam_duo.conf
3. ssh in as a user without a publickey set
4. Observe double push
5. Configure autopush=no in /etc/duo/pam_duo.conf
6. ssh in as a user without a publickey set
7. Observe a single push is sufficient for authentication.
8. Set an SSH key for the user.
9. Set autopush=yes in /etc/duo/pam_duo.conf
10. ssh in as a user
11. Observe that a single push is sufficient with a publickey providing the other half of authentication.

Workarounds

Turning off autopush is sufficient to work here. However, we would prefer to have autopush turned on.