ibm_authd
The ibm_authd server is no longer used by the PAM module even if
ibm_authd is enabled. For a multi-user system the ibm_authd method
is not considered secure because its local TCP/IP communication is not encrypted. If
ibm_authd must be used you can add the option "authd-force”: “y”
to /etc/pam_ibm_auth.json under the ibm-auth-api
section.
ibm_authd daemon is the connection and bearer token caching proxy that
the Verify PAM module uses to
avoid creating HTTPS connections and authenticating to the Verify server every time it is
invoked.The daemon is
used by the Verify PAM module
if the "ibm-auth-api" and "authd-port" values are set in the JSON
configuration file. If that configuration value is not set, then the Verify PAM module goes directly
to the Verify
server.
Note:
ibm_authd is now only used for the --obf option
and is no longer used as a daemon.The daemon has the following options:
- --conf_file=<config_file>
- This option is optional and specifies the JSON configuration file that contains the connection details to the Verify server. The value defaults to /etc/pam_ibm_auth.json.
- --pid_file=<pid_file>
- This option is optional and specifies the file into which the daemon writes its process ID. This value defaults to /var/run/ibm_authd.pid.
- --nodaemon
- This option stops the server from running in the background.
- --obf [ ...]
- This option is a non-server operation that allows the obfuscation of a password for placement in
the JSON configuration file. For example,
The value output can be used to obfuscate the# /opt/ibm/ibm_auth/ibm_authd --obf passw0rd Ch61srtgUikk0iixvYyrk4hcA5eiGMim7iDn83Ol8WY="ibm-auth-api"and"client-secret"values. Remove the current"client-secret"entry and replace it with the obfuscated value. For example,"obf-client-secret": "Ch61srtgUikk0iixvYyrk4hcA5eiGMim7iDn83Ol8WY="