Enabling only IBM MFA Out-of-Band login

Set the value of the CTC-PROMPT-ONLY field to make IBM® MFA Out-of-Band authentication mandatory or optional. The CTC-PROMPT-ONLY field setting affects all users and all IBM MFA authentication methods on the PAM client.

About this task

Set the value of the CTC-PROMPT-ONLY field to one of the following:
  • If you want the users on an IBM MFA client system to use only the IBM MFA Out-of-Band authentication type, set the CTC-PROMPT-ONLY setting to Y.
  • If you want users to be able to log in with both the IBM MFA Out-of-Band and in-band authentication types, set the CTC-PROMPT-ONLY setting to N. See Using in-band authentication with PAM for using in-band authentication.
You might want the users to use the IBM MFA Out-of-Band login type for the following reasons:
  • You can use the cache token credential in cases where the application replays the user password. Token codes can be used only once, which can causes issues in applications that cache and replay passwords.
  • You can set the user to use certificate authentication for authenticating to the IBM MFA Out-of-Band web page, including certificates stored on Personal Identification Verification (PIV) and Common Access Card (CAC) cards.
  • The IBM MFA Out-of-Band web page interface is typically more convenient to use than satisfying multiple authentication methods in-band.
To enable only the IBM MFA Out-of-Band login type, complete the following steps:
Note: Do not add preceding or trailing spaces to an entry. They can result in an Error processing MFA request error.

Procedure

  1. Use an editor to edit the /etc/security/azf/pam_azf.conf file on the IBM MFA client system.
  2. Set the value of the CTC-PROMPT-ONLY field as appropriate.
    For example, if you set the value to Y, the user must use the IBM MFA Out-of-Band web page to get a CTC:
    $ ssh user@system.your-domain.com
    Enter CTC:
    
    If you set the value to N, the user must enter a CTC or a policy name:
    $ ssh user@system.your-domain.com
    Type MFA Policy Name or press Enter for CTC:
    
  3. Save the changes.