Enabling MFA for a Cloud Client for Linux
Multi-factor authentication (MFA) is required for all logins to the Cloud Client for Linux (with the exception of local users) .
The UNIX and Windows Server login policy dictates how you are authenticated in the system. If you do not have a valid authentication profile set up, you will be denied login. You can disable the MFA requirement for login by setting the parameter pam.mfa.enabled to false in /etc/centrifycc/centrifycc.conf.
To enable MFA for Cloud Client for Linux
-
Enroll the Linux/UNIX machine into Privileged Access Service with agentauth feature permission enabled. At the command prompt on the Linux/UNIX machine, type the following command: sudo cenroll --tenant abc0123.my.centrify.net --user cloudadmin@devserver.sh --features aapm,agentauth -l login -V.
If you want to log in through MFA, you must have the agent auth permission on the registered machine. This permission can be granted directly, or you can make the user a member of a role with the agent auth permission granted (for example, one specified by a cenroll -l option). -
Validate your user by running the
getent
command:Copyuser@user1:\~\$ getent passwd genericpasswordgenericpassword:x:5264028:5264028:genericpassword (Dave@Smith.land):/home/Dave:/bin/bash
If you are enabling MFA for a user, that user must have valid Authentication profile set through the policy and/or role settings in the Admin Portal.