This configuration parameter specifies a list of programs for which multi-factor authentication is ignored. If you have configured roles to require multi-factor authentication, users assigned to those roles will be required to provide two types of authentication to access PAM applications. However, some PAM applications do not support more than one authentication challenge.
You can use this parameter to add the program names that do not support multi-factor authentication. When users access the PAM applications you specify for this parameter, the multi-factor authentication requirement is ignored so that users can log on rather than be denied access.
For example, if you have configured a role with the login-all PAM application right and the Require multi-factor authentication system right, you can use this parameter to skip multi‑factor authentication for specific PAM applications—such as xscreensaver and vsftpd—where multi-factory authentication is not needed or not supported.
pam.mfa.program.ignore: xscreensaver vsftpd
You can specify multiple options separated by spaces.
By default, ftpd, proftpd, vsftpd, java, httpd, cdc_chkpwd, kdm, and unix2_chkpwd are all added to this parameter.