hello
We have some problems like your case.
We have SafeNet MFA and AIX 7.2 OS, and we need to exclude root and some other user from ssh connection to MFA.
We have tried your pam.conf file before, but for us they do not give the required results.
In various combinations of these parameters in the configuration file we got different results, in the sense that it either asks for all users OTP + PIN, or does not ask for otp or password.
However, among all these cases, we do not manage to get the desired combination for our necessary case.
Simply we like to excluded root account from MFA authentication (login with password), and still have other personal account with MFA (OTP + PIN).
Can you please help us in some way, give us instructions or send us your pam.conf file and sshd.conf file?
Best regards
------------------------------
Izudin Husić
------------------------------
Original Message:
Sent: Thu February 11, 2021 09:44 AM
From: Anyl Mjn
Subject: Exclude specific users from Two Factor Authentication
Hi,
sorry for incomplete information. We have configured below configuration in etc/ssh/sshd_config as well.
passwordauthentication no
challengeresponseauthentication yes
so currently with this configuration, it will ask for otp first and then password.
------------------------------
Anyl Mjn
Original Message:
Sent: Thu February 11, 2021 08:06 AM
From: Anyl Mjn
Subject: Exclude specific users from Two Factor Authentication
Hi,
With above configuration. it did not asked for OTP, it only asks for password.
------------------------------
Anyl Mjn
Original Message:
Sent: Tue February 09, 2021 11:05 AM
From: Xinya Wang
Subject: Exclude specific users from Two Factor Authentication
Hi Anyl,
Please try the following in pam.conf for ssh service:sshd auth required /usr/lib/security/pam_aix
sshd auth sufficient /usr/lib/security/pam_permission file=/etc/allowed_users found=allow
sshd auth sufficient /usr/lib/security/pam_radius_auth.so
sshd account required /usr/lib/security/pam_aix
sshd password required /usr/lib/security/pam_aix
sshd session required /usr/lib/security/pam_aix
The pam_permission module uses an access-control list (that contains user/group names) to determine whether or not to permit or deny authentication requests. Please see https://www.ibm.com/support/knowledgecenter/ssw_aix_72/filesreference/pam_permission.html for details about pam_permission module and its settings.
The above auth stack requires that the AIX module (pam_aix, i.e, Password) must be successful, and either pam_permission module or OTP model (pam_radius_auth.so) is successful.
------------------------------
Xinya Wang
Original Message:
Sent: Mon February 08, 2021 11:20 PM
From: Anyl Mjn
Subject: Exclude specific users from Two Factor Authentication
Hi,
We are using Gemalto Safenet Authentication Service (SAS). We have enable Two Factor Authentication i.e users requires Password and OTP to login (SSH) to AIX Server. So, currently, all of the users requires Password and OTP to login to server. But, there are some users in AIX Server which we do not want to have 2FA for them. Below is the configuration of /etc/pam.conf that we are using.
vi /etc/pam.conf
#SSHD
sshd auth required /usr/lib/security/pam_radius_auth.so
sshd auth required /usr/lib/security/pam_aix
sshd account required /usr/lib/security/pam_aix
sshd password required /usr/lib/security/pam_aix
sshd session required /usr/lib/security/pam_aix
------------------------------
Anyl Mjn
Original Message:
Sent: Mon February 08, 2021 02:49 PM
From: Rodney Burnett
Subject: Exclude specific users from Two Factor Authentication
Hi, can you please provide more details on what solution you are using for 2FA? Is this based on the PowerSC MFA product or some other approach.
Regards,
Carl
------------------------------
Carl Burnett
DE, Cognitive Systems Software Development
IBM
Original Message:
Sent: Mon February 08, 2021 04:50 AM
From: Anyl Mjn
Subject: Exclude specific users from Two Factor Authentication
Hi All,
Recently, we have integrated our AIX machine with Two Factor Authentication System and everything is working fine. But we have some users which we do not want to be authenticated using Two Factor authentication and need to exclude it. Can anybody help how we can achieve this?
Thank you,
ANYL
------------------------------
Anyl Mjn
------------------------------