ibm_authd

The ibm_authd server is no longer used by the PAM module even if ibm_authd is enabled. For a multi-user system the ibm_authd method is not considered secure because its local TCP/IP communication is not encrypted. If ibm_authd must be used you can add the option "authd-force”: “y” to /etc/pam_ibm_auth.json under the ibm-auth-api section.

The ibm_authd daemon is the connection and bearer token caching proxy that the Verify PAM module uses to avoid creating HTTPS connections and authenticating to the Verify server every time it is invoked.
Typically the location is /opt/ibm/ibm_auth/ibm_authd.

The daemon is used by the Verify PAM module if the "ibm-auth-api" and "authd-port" values are set in the JSON configuration file. If that configuration value is not set, then the Verify PAM module goes directly to the Verify server.

Note: ibm_authd is now only used for the --obf option and is no longer used as a daemon.
The daemon has the following options:
--conf_file=<config_file>
This option is optional and specifies the JSON configuration file that contains the connection details to the Verify server. The value defaults to /etc/pam_ibm_auth.json.
--pid_file=<pid_file>
This option is optional and specifies the file into which the daemon writes its process ID. This value defaults to /var/run/ibm_authd.pid.
--nodaemon
This option stops the server from running in the background.
--obf [ ...]
This option is a non-server operation that allows the obfuscation of a password for placement in the JSON configuration file. For example,
# /opt/ibm/ibm_auth/ibm_authd --obf passw0rd

Ch61srtgUikk0iixvYyrk4hcA5eiGMim7iDn83Ol8WY=
The value output can be used to obfuscate the "ibm-auth-api" and "client-secret" values. Remove the current "client-secret" entry and replace it with the obfuscated value. For example,
"obf-client-secret": "Ch61srtgUikk0iixvYyrk4hcA5eiGMim7iDn83Ol8WY="