Enabling MFA for a Centrify Client for Linux
Note: The login is into registered machines that have a Centrify Client running. Login, used in this context, is the login role.
The UNIX and Windows Server login policy dictates how you are authenticated in the system. If you do not have a valid authentication profile set up, you will be denied login. You can disable the MFA requirement for login by setting the parameter pam.mfa.enabled
to false in /etc/centrifycc/centrifycc.conf
.
To enable MFA for Centrify Client for Linux
- Enroll the Linux/UNIX machine into Privileged Access Service with
agentauth
feature permission enabled. At the command prompt on the Linux/UNIX machine, type the following command:sudo cenroll --tenant abc0123.my.centrify.net --user cloudadmin@devserver.sh --features aapm,agentauth -l login -V
.
Note: If you want to log in through MFA, you must have the agent auth
permission on the registered machine. This permission can be granted directly, or you can make the user a member of a role with the agent auth
permission granted (for example, one specified by a cenroll -l
option).
- Validate your user by running the
getent
command:user@user1:~$ getent passwd genericpassword
genericpassword:x:5264028:5264028:genericpassword (Dave@Smith.land):/home/Dave:/bin/bash
Note: If you are enabling MFA for a user, that user must have valid Authentication profile
set through the policy and/or role settings in the Admin Portal.