Editing the /etc/pam.d files on Red Hat Enterprise Linux for IBM Z and LinuxONE

This section describes how to edit the application-specific files of your choice in the /etc/pam.d directory to use the IBM® MFA PAM module. You can also use the authconfig tool to configure PAM instead of manually editing the PAM configuration files, as described in the Red Hat Enterprise Linux® for IBM Z® and LinuxONE documentation.

About this task

To use the IBM MFA PAM module, complete the following steps:

Procedure

  1. Use an editor of choice to edit the application-specific files of your choice in the /etc/pam.d directory on the Red Hat Enterprise Linux for IBM Z and LinuxONE client system.
  2. Change the auth section to use the IBM MFA PAM module pam_azf.so and optionally pam_azf_fallback.so.

    The pam_azf.so module must be marked sufficient. If used, the pam_azf_fallback.so module must be marked required in the file.

    For example, for sshd the entry might be as follows:

    #%PAM-1.0
auth       required     pam_sepermit.so
auth       sufficient   pam_azf.so /etc/security/azf/pam_azf.conf
auth       required     pam_azf_fallback.so /etc/security/azf/pam_azf.conf
auth       substack     password-auth
auth       include      postlogin
    In this example:
    • If the pam_azf.so module succeeds, the user is logged in with their IBM MFA credentials.
    • If the pam_azf.so module fails, the pam_azf_fallback.so module is checked to determine whether the password fallback is enabled for the user:
      • If it is enabled, the pam_azf_fallback.so module succeeds. The password-auth value prompts the user for their Red Hat Enterprise Linux for IBM Z and LinuxONE password.
      • If password fallback is not enabled for the user, the pam_azf_fallback.so module fails. password-auth value prompts the user for their Red Hat Enterprise Linux for IBM Z and LinuxONE password, but they cannot use the password to log in.
  3. Save the changes.
  4. For the sshd example, you must also edit the /etc/ssh/sshd_config file and change the ChallengeResponseAuthentication value to yes: 
    # Change to no to disable s/key passwords
ChallengeResponseAuthentication yes
#ChallengeResponseAuthentication no
  5. Save the changes.
  6. For the sshd example, restart the sshd service: 
    # systemctl restart sshd.service
  7. Any user who attempts to log in by using an application that uses IBM MFA authentication must be provisioned for IBM MFA, as described in Provisioning IBM MFA users.