AIX

 View Only

  • 1.  Exclude specific users from Two Factor Authentication

    Posted Mon February 08, 2021 10:18 AM
    Hi All,

    Recently, we have integrated our AIX machine with Two Factor Authentication System and everything is working fine. But we have some users which we do not want to be authenticated using Two Factor authentication and need to exclude it. Can anybody help how we can achieve this?

    Thank you,
    ANYL

    ------------------------------
    Anyl Mjn
    ------------------------------


  • 2.  RE: Exclude specific users from Two Factor Authentication

    Posted Mon February 08, 2021 11:01 AM
    What form of 2FA?

    ------------------------------
    Russell Adams
    ------------------------------

    Original Message


  • 3.  RE: Exclude specific users from Two Factor Authentication

    Posted Mon February 08, 2021 02:50 PM
    Hi, can you please provide more details on what solution you are using for 2FA? Is this based on the PowerSC MFA product or some other approach.
    Regards,
    Carl

    ------------------------------
    Carl Burnett
    DE, Cognitive Systems Software Development
    IBM
    ------------------------------

    Original Message


  • 4.  RE: Exclude specific users from Two Factor Authentication

    Posted Mon February 08, 2021 11:21 PM
    Hi,

    We are using Gemalto Safenet Authentication Service (SAS). We have enable Two Factor Authentication i.e users requires Password and OTP to login (SSH) to AIX Server. So, currently, all of the users requires Password and OTP to login to server. But, there are some users in AIX Server which we do not want to have 2FA for them.  Below is the configuration of /etc/pam.conf that we are using.

    vi /etc/pam.conf
    #SSHD
    sshd auth required /usr/lib/security/pam_radius_auth.so
    sshd auth required /usr/lib/security/pam_aix 
    sshd account required /usr/lib/security/pam_aix
    sshd password required /usr/lib/security/pam_aix
    sshd session required /usr/lib/security/pam_aix

    ------------------------------
    Anyl Mjn
    ------------------------------

    Original Message


  • 5.  RE: Exclude specific users from Two Factor Authentication

    Posted Tue February 09, 2021 11:05 AM
    Hi Anyl,

    Please try the following in pam.conf for ssh service:
    sshd auth required /usr/lib/security/pam_aix
    sshd auth sufficient /usr/lib/security/pam_permission file=/etc/allowed_users found=allow
    sshd auth sufficient /usr/lib/security/pam_radius_auth.so
    sshd account required /usr/lib/security/pam_aix
    sshd password required /usr/lib/security/pam_aix
    sshd session required /usr/lib/security/pam_aix

    The pam_permission module uses an access-control list (that contains user/group names) to determine whether or not to permit or deny authentication requests. Please see https://www.ibm.com/support/knowledgecenter/ssw_aix_72/filesreference/pam_permission.html for details about pam_permission module and its settings.

    The above auth stack requires that the AIX module (pam_aix, i.e, Password) must be successful, and either pam_permission module or OTP model (pam_radius_auth.so) is successful.

    ------------------------------
    Xinya Wang
    ------------------------------

    Original Message


  • 6.  RE: Exclude specific users from Two Factor Authentication

    Posted Thu February 11, 2021 08:07 AM
    Edited by Anyl Mjn Thu February 11, 2021 08:41 AM
    Hi,

    With above configuration. it did not asked for OTP, it only asks for password.

    ------------------------------
    Anyl Mjn
    ------------------------------

    Original Message


  • 7.  RE: Exclude specific users from Two Factor Authentication

    Posted Thu February 11, 2021 09:44 AM
    Hi,

    sorry for incomplete information. We have configured below configuration in etc/ssh/sshd_config as well.

    passwordauthentication no
    challengeresponseauthentication yes

    so currently with this configuration, it will ask for otp first and then password.

    ------------------------------
    Anyl Mjn
    ------------------------------

    Original Message


  • 8.  RE: Exclude specific users from Two Factor Authentication

    Posted Tue June 07, 2022 11:26 AM
    hello

    We have some problems like your case.
    We have SafeNet MFA and AIX 7.2 OS, and we need to exclude root and some other user from ssh connection to MFA.
    We have tried your pam.conf file before, but for us they do not give the required results.
    In various combinations of these parameters in the configuration file we got different results, in the sense that it either asks for all users OTP + PIN, or does not ask for otp or password.
    However, among all these cases, we do not manage to get the desired combination for our necessary case.
    Simply we like to excluded root account from MFA authentication (login with password), and still have other personal account with MFA (OTP + PIN).

    Can you please help us in some way, give us instructions or send us your pam.conf file and sshd.conf file?
    Best regards

    ------------------------------
    Izudin Husić
    ------------------------------

    Original Message


  • 9.  RE: Exclude specific users from Two Factor Authentication

    Posted Tue June 07, 2022 01:11 PM
    I’m working blind here… but, keep in mind your pam.conf file (as I recall) is order dependent. If you have root authorized in a line before a line that requires further authentication, then the first rule takes effect.
    It’s been many years since I’ve dug into PAM rules, but that’s what I recall.


    Original Message