Enabling MFA for a Centrify Client for Linux

Multi-factor authentication (MFA) is required for all logins to the Centrify Client for Linux (with the exception of local users) .

Note:   The login is into registered machines that have a Centrify client running. Login, used in this context, is the login role.

The Unix and Windows Server login policy dictates how you are authenticated in the system. If you do not have a valid authentication profile set up, you will be denied login. You can disable the MFA requirement for login by setting the parameter pam.mfa.enabled to false in /etc/centrifycc/centrifycc.conf.

To enable MFA for a Centrify Client for Linux, perform the following steps:

  1. Enroll the Linux/UNIX machine into Privileged Access Service with agentauth feature permission enabled. At the command prompt on the Linux/UNIX machine, type the following command: sudo cenroll --tenant aaa0186.my.centrify.net --user cloudadmin@devserver.sh --features aapm,agentauth -l login -V.

Note:    If you want to log in through MFA, you must have the agent auth permission on the registered machine. This permission can be granted directly, or you can make the user a member of a role with the agent auth permission granted (for example, one specified by a cenroll -l option).

  1. Validate your user by running the getent command: user@user1:~$ getent passwd genericpasswordgenericpassword:x:5264028:5264028:genericpassword (Dave@Smith.land):/home/Dave:/bin/bash

Note:    If you are enabling MFA for a user, that user must have valid Authentication profile set through the policy and/or role settings in the Centrify Admin Portal.