After installing Centrify on AIX, passcodes for RSA authentication are no longer required. Standard username/password is sufficient.
All versions of Centrify DirectControl on AIX
After installing Centrify DirectControl on AIX, RSA authentication is no longer being enforced on user logins.
By default, DirectControl will automatically edit pam.conf to include the Centrify authentication modules. These modules will be placed above all other modules in the PAM stack. This causes RSA to drop below Centrify in priority, so once a user successfully authenticates through Centrify, there is no mechanism to cause them to fall down to RSA.
Please refer to the attached whitepaper for RSA configuration with Centrify. Ensure the configuration is intact. Important: Check /etc/pam.conf and verify that any reference to /usr/lib/security/pam_securid.so is placed before any references to pam_centrifydc, as shown in the whitepaper example.
If a manual modification of /etc/pam.conf proves to be necessary, you should also modify /etc/centrifydc/centrifydc.conf with the following parameter, followed by an 'adreload' to apply the change:
This will prevent adclient from reverting this change at the next config integrity check.
Now, when a user logs in, at the prompt they will enter the following:
<rsa passcode><password> concatenated together. pam_securid (for RSA) will split this and authenticate using the first part. The second part (password) will be placed back into the stack for other authentication modules to use. (ie. pam_centrifydc)