More of a feature request, would like to have ,push# implemented like the Fortinet VPN module has

[cgibbsaces]

This may be more of a feature request I suppose but is causing me major issues.

We have a generic user that multiple people use to login to a web interface, problem is with autopush off there is no way to tell it what option to use so login's always fail.

For example, with Fortinet vpn duo module, we can have one account, say admin for example, then when the user goes to put in their password they can do ,push# (# being what user you are in the list in the duo portal, so if you are the second user listed you would do ,push2 or for a call ,call2 etc.) right after their password (no spaces) and that signifies what user/phone in DUO to send it to.

This allows us to use one account but give the users an option to send to what device or user we need it to go to along with what option you want push, call, etc.

Steps to reproduce

1. Create one user on linux with webmin, and create that user in duo and add two different phones to it, set autopush to off, ssh gives you the options but when logging into webmin it will just fail.

Specs

Ubuntu 20.04 LTS - ESXi host VM

[AaronAtDuo]

@cgibbsaces perhaps I am misunderstanding the request -- but the Duo PAM module doesn't (and shouldn't) have access to the user's password, so I don't think we can accomplish this.

The reason it's possible for VPNs is because that uses a different product which does receive the user password and can split it, sending each piece to the relevant authenticator.

Even if we somehow did get ahold of the user password and split off the factor selection, the concatenated password would have presumably failed password authentication - the Duo PAM module definitely won't have the capability to modify the password in that case.

[AaronAtDuo]

Closing as impossible for the reasons noted above.