This section describes how to edit the application-specific files of your choice in the
/etc/pam.d directory to use the IBM®
PowerSC™ MFA PAM module. You can also use the
authconfig tool to configure PAM instead of manually editing the PAM
configuration files, as described in the Red Hat Enterprise Linux Server
documentation.
To use the IBM
PowerSC MFA PAM module, complete the
following steps:
- Use an editor of choice to edit the application-specific files of your choice in the
/etc/pam.d directory on the Red Hat Enterprise Linux Server
client system.
- Change the auth section to use the IBM
PowerSC MFA PAM module pam_pmfa.so and optionally
pam_pmfa_fallback.so.
The pam_pmfa.so module must be marked sufficient. If
used, the pam_pmfa_fallback.so module must be marked
required in the file.
For example, the entry might be as follows:
#%PAM-1.0
auth required pam_sepermit.so
auth sufficient pam_pmfa.so /etc/security/pmfa/pam_pmfa.conf
auth required pam_pmfa_fallback.so /etc/security/pmfa/pam_pmfa.conf
auth substack password-auth
auth include postlogin
In this example:
- If the pam_pmfa.so module succeeds, the user is logged in with their
IBM
PowerSC MFA credentials.
- If the pam_pmfa.so module fails, the
pam_pmfa_fallback.so module is checked to determine whether the password
fallback is enabled for the user:
- If it is enabled, the pam_pmfa_fallback.so module succeeds. The
password-auth value prompts the user for their Red Hat Enterprise Linux Server password.
- If password fallback is not enabled for the user, the pam_pmfa_fallback.so
module fails. password-auth value prompts the user for their Red Hat Enterprise Linux Server password, but they cannot use the password to log in.
- Save the changes.
- Edit the /etc/ssh/sshd_config file and change the
ChallengeResponseAuthentication value to yes:
# Change to no to disable s/key passwords
ChallengeResponseAuthentication yes
#ChallengeResponseAuthentication no
- Save the changes.
- Restart the sshd service:
# systemctl restart sshd.service
- Any user who attempts to log in by using an application that uses IBM
PowerSC MFA authentication must be provisioned for IBM
PowerSC MFA, as described in Provisioning IBM PowerSC MFA users.