Overview

This document provides an overview of the IBM® Security Verify Gateway for Linux PAM and AIX® PAM (Pluggable Authentication Modules) that were developed to provide Multi-Factor Authentication (MFA) via Verify. The Gateway for Linux PAM and AIX PAM supports both first and second factor authentication by using IBM Security Verify.

This document describes the functionality that is provided in these versions of the PAM module.

Note: IBM Security Verify Gateway for Linux PAM and AIX PAM (Pluggable Authentication Modules) on Linux® is not affiliated in any way with Linux-PAM open source project that is described at http://www.linux-pam.org.

IBM Security Verify Gateway for Linux PAM (Pluggable Authentication Modules), version 1.0.7
IBM Security Verify Gateway for AIX PAM (Pluggable Authentication Modules), version 1.0.4.

On Linux systems, you can verify your version number by running the appropriate command, either rpm -q or dpkg -s. On AIX systems, you can verify the version by using

lslpp
-f

pam_ibm_auth.rte

The IBM Security Verify Gateway for Linux PAM and AIX PAM (Pluggable Authentication Modules) modules have the component pam_ibm_auth.

Note:

The ibm_authd server is no longer used by the PAM modules even if ibm_authd is enabled. For a multi-user system, the ibm_authd method is not considered secure because its local TCP/IP communication is not encrypted. If ibm_authd must be used, you can add the option "authd-force”: “y” to /etc/pam_ibm_auth.json under the ibm-auth-api section.
Processes that invoke the pam_ibm_auth module must have an effective user ID of root.

Supported operating systems

Red Hat Enterprise Linux 7 x86-64
Red Hat® Enterprise Linux 8 on s390x (zLinux)
Red Hat Enterprise Linux 8 x86-64
Red Hat Enterprise Linux 8 ppc64le
Red Hat® Enterprise Linux 9 on s390x (zLinux)
Red Hat Enterprise Linux 9 x86-64
Red Hat Enterprise Linux 9 ppc64le
Fedora 38
Debian 10 x86-64
Debian 11 x86-64
Debian 11 ppc64el
Debian 11 s390x (zLinux)
Debian 12 x86-64
Debian 12 ppc64el
Debian 12 s390x (zLinux)
openSUSE Leap 15.5
SUSE Linux Enterprise Server 15 x86-64
SUSE Linux Enterprise Server 15 ppc64le
SUSE Linux Enterprise Server 15 s390x(zLinux)
SUSE Linux Enterprise Server 12 on s390x (zLinux)
Centos 7 x86-64
Ubuntu 22.04 x86-64
Ubuntu 22.04 ppc64el
Ubuntu 22.04 s390x (zLinux)
Ubuntu 20.04 x86-64
Ubuntu 20.04 ppc64el
Ubuntu 20.04 s390x (zLinux)
Ubuntu 18.04 x86-64
Ubuntu 16.04 x86-64
AIX 7.2
AIX 7.3

Operating System	Linux PAM .zip files (contained in ISVGForLinuxPAM`version`.zip)
Red Hat Enterprise Linux 7 x86-64	rhel-7.zip
Red Hat® Enterprise Linux 8 s390x (zLinux)	rhel-8.zip
Red Hat Enterprise Linux 8 x86-64	rhel-8.zip
Red Hat Enterprise Linux 8 ppc64le	rhel-8.zip
Red Hat® Enterprise Linux 9 s390x (zLinux)	rhel-9.zip
Red Hat Enterprise Linux 9 x86-64	rhel-9.zip
Red Hat Enterprise Linux 9 ppc64le	rhel-9.zip
Fedora 38	fedora-38.zip
Debian 10 x86-64	debian-10.zip
Debian 11 x86-64	debian-11.zip
Debian 11 ppc64el	debian-11.zip
Debian 11 s390x	debian-11.zip
Debian 12 x86-64	debian-12.zip
Debian 12 ppc64el	debian-12.zip
Debian 12 s390x	debian-12.zip
openSUSE Leap 15.5	opensuse-15.zip
SUSE Linux Enterprise Server 15 x86-64	opensuse-15.zip
SUSE Linux Enterprise Server 15 ppc64le	opensuse-15.zip
SUSE Linux Enterprise Server 15 s390x (zLinux)	opensuse-15.zip
SUSE Linux Enterprise Server 12 s390x (zLinux)	opensuse-12.zip
Centos 7 x86-64	centos-7.zip
Ubuntu 22.04 x86-64	debian-12.zip
Ubuntu 22.04 ppc64el	debian-12.zip
Ubuntu 22.04 s390x	debian-12.zip
Ubuntu 20.04 x86-64	debian-11.zip
Ubuntu 20.04 ppc64el	debian-11.zip
Ubuntu 20.04 s390x	debian-11.zip
Ubuntu 18.04 x86-64	debian-10.zip

Operating System	AIX PAM .zip file
AIX 7.2	IBMSecurityVerifyGatewayForAIXPAM_`version`.zip
AIX 7.3	IBMSecurityVerifyGatewayForAIXPAM_`version`.zip

Note: AIX systems must have a minimum OpenSSL AIX VRMF 3.0.10.1000.

Requirements

IBM Security Verify API client

The client must have the following entitlements:

Authenticate any user
Read second-factor authentication enrollment for all users
Read users and groups