All versions of Centrify DirectControl on all Linux platforms Question:
Are there any MFA compatibility issues with the Linux GUI desktop on any platforms?
Some versions of Linux Desktop GUI on some platforms while compatible with DirectControl have issues with the MFA feature that either require manual intervention or have issues that are unable to be addressed such as:RHEL 5.x:
1) On the system such as RHEL 5 that uses an old version of gdmgreeter, the MFA challenge message may be overlapped by the username/password input box. To avoid this issue, the user can change positions for "user-pw-entry" and "pam-prompt" entries in the theme file /usr/share/gdm/themes/RHEL/RHEL.xml, or directly install and set gdm login to use a newer version of gdm-simple-greeter such as gdm-2.24.0-24.101.19.
SLES 11 SP3:
2) For Linux OS such as SLES 11 SP3 that use old gdm-simple-greeter for console login authentication, the incorrect behavior in this program will cause MFA login to fail. SLES 11 SP4 has fixed this issue.
3) On systems such as SLES 11 where screen unlock is handled by the program unix2_chkpwd, users will not be challenged for MFA when they unlock the screen.
4) In systems such as SLES 10 where the screen unlock is handled by the program gnome-screensaver. Some versions of gnome-screensaver cannot handle the additional challenge/response interaction required for MFA and hang during unlock. In this case, please add 'gnome-screensav' to the pam.mfa.program.ignore list in centrifydc.conf to disable MFA functionality for this screen saver.
5) In systems such as Ubuntu 15.04 where screen unlock is handled by the program compiz, MFA does not work because compiz does not support the additional Challenge/Response interactions. Please add 'compiz' to the "pam.mfa.program.ignore" list in centrifydc.conf to disable MFA functionality for this program.
6) MFA is disabled in KDE Display Manager (kdm) environment in openSUSE due to issues with the native generic plugin module. Please refer to the following links:
If you need to modify the parameter "pam.mfa.program.ignore" list in centrifydc.conf, please note that you need to specify the default values in the parameter.
The default list is "vsftpd java httpd cdc_chkpwd kdm unix2_chkpwd". For example, if you need to add compiz to this list, the line should be:
pam.mfa.program.ignore: vsftpd java httpd cdc_chkpwd kdm unix2_chkpwd compiz
Please check with Centrify Support if you need more information about Linux desktop (especially screensaver) compatibility issues.