How to disable MFA for R application. Already tried "pam.mfa.program.ignore: ..... shiny-server"
12-11-2018 12:54 PM
We use MFA for some users but this R application will not accept credentials. Since application does not need MFA tried setting
pam.mfa.program.ignore: ftpd proftpd vsftpd java httpd cdc_chkpwd kdm unix2_chkpwd shiny-server.
Still get the same message. Any ideas.
12-11-2018 01:14 PM
Welcome to the community.
When posting, would you be kind enough to tell us the operating system, version and version of our software?
Keep in mind that we can provide MFA for UNIX/Linux (for console or remote login and privilege elevation via dzdo) or for Windows for Login (console, remote, screen unlock, privilege elevation or offline access). It looks like you may be dealing with a PAM-enabled app in UNIX/Linux, but it's much easier if you tell us the info above.
If this is for remote access
By using the parameter you mentioned pam.mfa.program.ignore, you usually have to reload the agent configuration or (e.g. running adreload with elevated rights) or you may have to restart the centrifydc service depending on the version.
Alternatively, since You are disabling access overall for this app. You can do this by assigning the target users a role that does not challenge for MFA
If this is for Privilege Elevation
Note that if this is an application to be run with privileges, as you define them, make sure the respective checkbox (per platform) is unchecked:
12-11-2018 01:40 PM
Thank you for your timely reply and yes, should have known better. Anyway,
Linux [Redhat release 6.9 ], (CentrifyDC 5.4.3-901).
We did restart the agent and flush the cache after we made the change. The target role would require a lot more effort, but shouldn't this have been enough.
12-11-2018 02:15 PM
If after doing an adreload and service centrifydc restart this did not take, support may have to take a look.
Super important that the application in question is PAM-aware and that its PAM configuration stanzas are looking at the system PAM config.
One last check. If you want to see what are the current memory working parameters of the client, you can use
adinfo --sysinfo config
and grep for the parameter you just set. If the parameter lists your program (with the correct PAM name) and still prompts, I am sure support may want to take a deeper look.
12-11-2018 06:18 PM
The parameter pam.mfa.program.ignore should work but you need to make sure you include the correct name of the application calling the Centrify PAM module.
To confirm the name of the application, enable Centrify debug, attempt the login and confirm the name of the application. I'll use SSH as an example:
# /usr/share/centrifydc/bin/addebug on /var/log/centrify_client.log does not exist. Creating now. Configure /etc/rsyslog.conf Send HUP signal to rsyslogd Configure log level in /etc/centrifydc/centrifydc.conf Reload /etc/centrifydc/centrifydc.conf /usr/sbin/adreload returned 0 Centrify DirectControl debug logging is on # tail -f /var/log/centrifydc.log | grep pam_sm Dec 11 18:10:08 r10-sap-74 adclient: DEBUG <fd:23 sshd(21990)> -> pam_sm_authenticate Dec 11 18:10:18 r10-sap-74 adclient: DEBUG <fd:28 sshd(21990)> -> cloud pam_sm_authenticate
As we can see, sshd is the name of the application calling the Centrify PAM module. If I add sshd to pam.mfa.program.ignore and run "adreload", then log in again with sshd, I don't get MFA.
Remember to turn of debug:
# /usr/share/centrifydc/bin/addebug off
Please give this a try in your environment. If it doesn't work, we will need a debug log showing issue.
VP of Enterprise Solutions
Found my response helpful? Click the Kudos button!