Enabling MFA for a Centrify Client for Linux
Multi-factor authentication (MFA) is required for all logins to the Centrify Client for Linux (with the exception of local users) .
Note: The login is into registered machines that have a Centrify client running. Login, used in this context, is the login role.
The Unix and Windows Server login policy dictates how you are authenticated in the system. If you do not have a valid authentication profile set up, you will be denied login. You can disable the MFA requirement for login by setting the parameter
pam.mfa.enabled to false in
To enable MFA for a Centrify Client for Linux, perform the following steps:
- Enroll the Linux/UNIX machine into Privileged Access Service with
agentauthfeature permission enabled. At the command prompt on the Linux/UNIX machine, type the following command:
sudo cenroll --tenant aaa0186.my.centrify.net --user email@example.com --features aapm,agentauth -l login -V.
Note: If you want to log in through MFA, you must have the
agent auth permission on the registered machine. This permission can be granted directly, or you can make the user a member of a role with the
agent auth permission granted (for example, one specified by a
cenroll -l option).
- Validate your user by running the
user@user1:~$ getent passwd genericpassword
Note: If you are enabling MFA for a user, that user must have valid
Authentication profile set through the policy and/or role settings in the Centrify Admin Portal.