How to disable MFA for R application. Already tried "pam.mfa.program.ignore: ..... shiny-server"

Showing results for 
Search instead for 
Do you mean 
Reply
Participant II
Posts: 2
Registered: ‎12-11-2018
#1 of 5 409

How to disable MFA for R application. Already tried "pam.mfa.program.ignore: ..... shiny-server"

We use MFA for some users but this R application will not accept credentials. Since application does not need MFA tried setting

pam.mfa.program.ignore: ftpd proftpd vsftpd java httpd cdc_chkpwd kdm unix2_chkpwd shiny-server.

 

Still get the same message. Any ideas.

Centrify Guru I
Posts: 2,415
Registered: ‎07-26-2012
#2 of 5 407

Re: How to disable MFA for R application. Already tried "pam.mfa.program.ignore: ..... shiny-se

@ErnieM,

 

Welcome to the community.

 

When posting, would you be kind enough to tell us the operating system, version and version of our software?

 

Keep in mind that we can provide MFA for UNIX/Linux (for console or remote login and privilege elevation via dzdo) or for Windows for Login (console, remote, screen unlock, privilege elevation or offline access).  It looks like you may be dealing with a PAM-enabled app in UNIX/Linux, but it's much easier if you tell us the info above.

 

If this is for remote access

By using the parameter you mentioned pam.mfa.program.ignore, you usually have to reload the agent configuration or (e.g. running adreload with elevated rights) or you may have to restart the centrifydc service depending on the version.

 

Alternatively, since You are disabling access overall for this app.  You can do this by assigning the target users a role that does not challenge for MFA

 

If this is for Privilege Elevation

Note that if this is an application to be run with privileges, as you define them, make sure the respective checkbox (per platform) is unchecked:

check-mfa.png

 

R.P

 

 

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify:
Participant II
Posts: 2
Registered: ‎12-11-2018
#3 of 5 405

Re: How to disable MFA for R application. Already tried "pam.mfa.program.ignore: ..... shiny-se

Thank you for your timely reply and yes,  should have known better. Anyway,

Linux  [Redhat release 6.9 ],  (CentrifyDC 5.4.3-901).

 

We did restart the agent and flush the cache after we made the change. The target role would require a lot more effort, but shouldn't this have been enough.

Centrify Guru I
Posts: 2,415
Registered: ‎07-26-2012
#4 of 5 399

Re: How to disable MFA for R application. Already tried "pam.mfa.program.ignore: ..... shiny-se

@ErnieM,

 

If after doing an adreload and service centrifydc restart this did not take, support may have to take a look.

 

Super important that the application in question is PAM-aware and that its PAM configuration stanzas are looking at the system PAM config.

 

One last check.  If you want to see what are the current memory working parameters of the client, you can use

adinfo --sysinfo config

and grep for the parameter you just set.  If the parameter lists your program (with the correct PAM name) and still prompts, I am sure support may want to take a deeper look.

 

R.P

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify:
Posts: 958
Topics: 3
Kudos: 254
Blog Posts: 6
Ideas: 0
Solutions: 126
Registered: ‎07-06-2010
#5 of 5 392

Re: How to disable MFA for R application. Already tried "pam.mfa.program.ignore: ..... shiny-se

[ Edited ]

The parameter pam.mfa.program.ignore should work but you need to make sure you include the correct name of the application calling the Centrify PAM module.  

 

To confirm the name of the application, enable Centrify debug, attempt the login and confirm the name of the application.  I'll use SSH as an example:  

 

# /usr/share/centrifydc/bin/addebug on
/var/log/centrify_client.log does not exist. Creating now.
Configure /etc/rsyslog.conf
Send HUP signal to rsyslogd
Configure log level in /etc/centrifydc/centrifydc.conf
Reload /etc/centrifydc/centrifydc.conf
/usr/sbin/adreload returned 0
Centrify DirectControl debug logging is on

# tail -f /var/log/centrifydc.log | grep pam_sm

Dec 11 18:10:08 r10-sap-74 adclient[21097]: DEBUG <fd:23 sshd(21990)> -> pam_sm_authenticate
Dec 11 18:10:18 r10-sap-74 adclient[21097]: DEBUG <fd:28 sshd(21990)> -> cloud pam_sm_authenticate

As we can see, sshd is the name of the application calling the Centrify PAM module.  If I add sshd to pam.mfa.program.ignore and run "adreload", then log in again with sshd, I don't get MFA.

 

Remember to turn of debug:

 

# /usr/share/centrifydc/bin/addebug off

 

Please give this a try in your environment.  If it doesn't work, we will need a debug log showing issue.


Regards,

 

Felderi Santiago
VP of Enterprise Solutions
Centrify Corporation
Found my response helpful? Click the Kudos button!
Follow Centrify: