Editing the /etc/pam.d files on SUSE Linux Enterprise Server on IBM Z

This section describes how to edit the application-specific files of your choice in the /etc/pam.d directory to use the IBM® MFA PAM module. You can also use the pam-config tool to configure PAM instead of manually editing the PAM configuration files, as described in the SUSE Linux® Enterprise Server on IBM Z® documentation

About this task

To use the IBM MFA PAM module, complete the following steps:

Procedure

  1. Use an editor of choice to edit the application-specific files of your choice in the /etc/pam.d directory on the SUSE Linux Enterprise Server on IBM Z client system.
  2. Change the auth section to use the IBM MFA PAM module /usr/lib64/security/pam_azf.so and optionally /usr/lib64/security/pam_azf_fallback.so. The full path name is required.

    The /usr/lib64/security/pam_azf.so module must be marked sufficient. If used, the /usr/lib64/security/pam_azf_fallback.so module must be marked required in the file.

    For example, the sshd entry might be as follows:

    #%PAM-1.0
    auth        requisite    pam_nologin.so
    auth        sufficient   /usr/lib64/security/pam_azf.so /etc/security/azf/pam_azf.conf
    auth        required     /usr/lib64/security/pam_azf_fallback.so /etc/security/azf/pam_azf.conf
    auth        include      common-auth
    account     requisite    pam_nologin.so
    account     include      common-account
    password    include      common-password
    session     required     pam_loginuid.so
    session     include      common-session
    session     optional     pam_lastlog.so   silent noupdate showfailed
    
    In this example:
    • If the pam_azf.so module succeeds, the user is logged in with their IBM MFA credentials.
    • If the pam_azf.so module fails, the pam_azf_fallback.so module is checked to see if password fallback is enabled for the user:
      • If it is enabled, the pam_azf_fallback.so module succeeds. The common-auth value prompts the user for their SUSE Linux Enterprise Server on IBM Z password.
      • If password fallback is not enabled for the user, the pam_azf_fallback.so module fails. The common-auth value prompts the user for their SUSE Linux Enterprise Server on IBM Z password, but they cannot use the password to log in.
  3. Save the changes.
  4. For the sshd example, you must also edit the /etc/ssh/sshd_config file and change the ChallengeResponseAuthentication value to yes:
    # Change to no to disable s/key passwords
    ChallengeResponseAuthentication yes
    #ChallengeResponseAuthentication no
  5. Save the changes.
  6. For the sshd example, restart the sshd service:
    # systemctl restart sshd
  7. Any user who attempts to log in by using an application that uses IBM MFA authentication must be provisioned for IBM MFA, as described in Provisioning IBM MFA users.