ibm_authd
The ibm_authd
server is no longer used by the PAM module even if
ibm_authd
is enabled. For a multi-user system the ibm_authd
method
is not considered secure because its local TCP/IP communication is not encrypted. If
ibm_authd
must be used you can add the option "authd-force”: “y”
to /etc/pam_ibm_auth.json under the ibm-auth-api
section.
The
ibm_authd
daemon is the connection and bearer token caching proxy that
the Verify PAM module uses to
avoid creating HTTPS connections and authenticating to the Verify server every time it is
invoked.Typically the location is /opt/ibm/ibm_auth/ibm_authd.
The daemon is
used by the Verify PAM module
if the "ibm-auth-api"
and "authd-port"
values are set in the JSON
configuration file. If that configuration value is not set, then the Verify PAM module goes directly
to the Verify
server.
Note:
ibm_authd
is now only used for the --obf
option
and is no longer used as a daemon.The daemon has the following options:
- --conf_file=<config_file>
- This option is optional and specifies the JSON configuration file that contains the connection details to the Verify server. The value defaults to /etc/pam_ibm_auth.json.
- --pid_file=<pid_file>
- This option is optional and specifies the file into which the daemon writes its process ID. This value defaults to /var/run/ibm_authd.pid.
- --nodaemon
- This option stops the server from running in the background.
- --obf [ ...]
- This option is a non-server operation that allows the obfuscation of a password for placement in
the JSON configuration file. For example,
The value output can be used to obfuscate the# /opt/ibm/ibm_auth/ibm_authd --obf passw0rd Ch61srtgUikk0iixvYyrk4hcA5eiGMim7iDn83Ol8WY=
"ibm-auth-api"
and"client-secret"
values. Remove the current"client-secret"
entry and replace it with the obfuscated value. For example,"obf-client-secret": "Ch61srtgUikk0iixvYyrk4hcA5eiGMim7iDn83Ol8WY="