This section describes how to edit the application-specific files of your choice in the
/etc/pam.d directory to use the IBM® MFA PAM module. You can also use the
pam-config tool to configure PAM instead of manually editing the PAM
configuration files, as described in the SUSE Linux® Enterprise Server on IBM Z® documentation
About this task
To use the IBM MFA PAM module, complete the
following steps:
Procedure
-
Use an editor of choice to edit the application-specific files of your choice in the
/etc/pam.d directory on the SUSE Linux Enterprise Server on IBM Z
client system.
-
Change the auth section to use the IBM MFA PAM module
/usr/lib64/security/pam_azf.so and optionally
/usr/lib64/security/pam_azf_fallback.so. The full path name is required.
The /usr/lib64/security/pam_azf.so module must be marked
sufficient. If used, the
/usr/lib64/security/pam_azf_fallback.so module must be marked
required in the file.
For example, the sshd entry might be as follows:
#%PAM-1.0
auth requisite pam_nologin.so
auth sufficient /usr/lib64/security/pam_azf.so /etc/security/azf/pam_azf.conf
auth required /usr/lib64/security/pam_azf_fallback.so /etc/security/azf/pam_azf.conf
auth include common-auth
account requisite pam_nologin.so
account include common-account
password include common-password
session required pam_loginuid.so
session include common-session
session optional pam_lastlog.so silent noupdate showfailed
In this example:
- If the pam_azf.so module succeeds, the user is logged in with their
IBM MFA credentials.
- If the pam_azf.so module fails, the
pam_azf_fallback.so module is checked to see if password fallback is enabled
for the user:
- If it is enabled, the pam_azf_fallback.so module succeeds. The
common-auth value prompts the user for their SUSE Linux Enterprise Server on IBM Z password.
- If password fallback is not enabled for the user, the pam_azf_fallback.so
module fails. The common-auth value prompts the user for their SUSE Linux Enterprise Server on IBM Z password, but they cannot use the password to log in.
-
Save the changes.
-
For the sshd example, you must also edit the
/etc/ssh/sshd_config file and change the
ChallengeResponseAuthentication value to yes:
# Change to no to disable s/key passwords
ChallengeResponseAuthentication yes
#ChallengeResponseAuthentication no
-
Save the changes.
-
For the sshd example, restart the sshd service:
-
Any user who attempts to log in by using an application that uses IBM MFA authentication must be provisioned for IBM MFA, as described in Provisioning IBM MFA users.