Editing the /etc/pam.d files on Red Hat Enterprise Linux Server

This section describes how to edit the application-specific files of your choice in the /etc/pam.d directory to use the IBM® PowerSC™ MFA PAM module. You can also use the authconfig tool to configure PAM instead of manually editing the PAM configuration files, as described in the Red Hat Enterprise Linux Server documentation.

To use the IBM PowerSC MFA PAM module, complete the following steps:
  1. Use an editor of choice to edit the application-specific files of your choice in the /etc/pam.d directory on the Red Hat Enterprise Linux Server client system.
  2. Change the auth section to use the IBM PowerSC MFA PAM module pam_pmfa.so and optionally pam_pmfa_fallback.so.

    The pam_pmfa.so module must be marked sufficient. If used, the pam_pmfa_fallback.so module must be marked required in the file.

    For example, the entry might be as follows:

    #%PAM-1.0

auth       required     pam_sepermit.so

auth       sufficient   pam_pmfa.so /etc/security/pmfa/pam_pmfa.conf

auth       required     pam_pmfa_fallback.so /etc/security/pmfa/pam_pmfa.conf

auth       substack     password-auth

auth       include      postlogin
    In this example:
    • If the pam_pmfa.so module succeeds, the user is logged in with their IBM PowerSC MFA credentials.
    • If the pam_pmfa.so module fails, the pam_pmfa_fallback.so module is checked to determine whether the password fallback is enabled for the user:
      • If it is enabled, the pam_pmfa_fallback.so module succeeds. The password-auth value prompts the user for their Red Hat Enterprise Linux Server password.
      • If password fallback is not enabled for the user, the pam_pmfa_fallback.so module fails. password-auth value prompts the user for their Red Hat Enterprise Linux Server password, but they cannot use the password to log in.
  3. Save the changes.
  4. Edit the /etc/ssh/sshd_config file and change the ChallengeResponseAuthentication value to yes: 
    # Change to no to disable s/key passwords

ChallengeResponseAuthentication yes

#ChallengeResponseAuthentication no
  5. Save the changes.
  6. Restart the sshd service: 
    # systemctl restart sshd.service
  7. Any user who attempts to log in by using an application that uses IBM PowerSC MFA authentication must be provisioned for IBM PowerSC MFA, as described in Provisioning IBM PowerSC MFA users.
Parent topic: Configuring IBM PowerSC MFA client systems