Red Hat SummitDieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.
Chapter 6. Configuring smart card authentication with local certificates
You can configure smart card authentication on standalone hosts without a domain connection. This setup involves generating local certificates, storing them on the smart card, and configuring system services such as SSH to validate credentials against a local authority.
To configure smart card authentication with local certificates:
- The host is not connected to a domain.
- You want to authenticate with a smart card on this host.
- You want to configure SSH access using smart card authentication.
-
You want to configure the smart card with
authselect.
Use the following configuration to accomplish this scenario:
Obtain a user certificate for the user who wants to authenticate with a smart card. The certificate should be generated by a trustworthy Certification Authority used in the domain.
If you cannot get the certificate, you can generate a user certificate signed by a local certificate authority for testing purposes,
- Store the certificate and private key in a smart card.
- Configure the smart card authentication for SSH access.
If a host can be part of the domain, add the host to the domain and use certificates generated by Active Directory or Identity Management Certification Authority.
For details about how to create IdM certificates for a smart card, see Configuring Identity Management for smart card authentication.
The authselect tool configures user authentication on Linux hosts and you can use it to configure smart card authentication parameters. For details about authselect, see Explaining authselect.
6.1. Prerequisites
- Supported Smart Card or USB devices.
6.2. Creating local certificates
Testing smart card authentication requires a valid certificate chain. Administrators can generate a local self-signed Certificate Authority (CA) and use it to sign user certificate requests, creating a functional credential set for development environments.
Follow this procedure to perform the following tasks:
- Generate the OpenSSL certificate authority
- Create a certificate signing request
The following steps are intended for testing purposes only. Certificates generated by a local self-signed Certificate Authority are not as secure as using AD, IdM, or RHCS Certification Authority. You should use a certificate generated by your enterprise Certification Authority even if the host is not part of the domain.
Procedure
Create a directory where you can generate the certificate, for example:
# mkdir /tmp/ca# cd /tmp/caSet up the certificate (copy this text to your command line in the
cadirectory):# cat > ca.cnf <<EOF[ ca ] default_ca = CA_default [ CA_default ] dir = . database = \$dir/index.txt new_certs_dir = \$dir/newcerts certificate = \$dir/rootCA.crt serial = \$dir/serial private_key = \$dir/rootCA.key RANDFILE = \$dir/rand default_days = 365 default_crl_days = 30 default_md = sha256 policy = policy_any email_in_dn = no name_opt = ca_default cert_opt = ca_default copy_extensions = copy [ usr_cert ] authorityKeyIdentifier = keyid, issuer [ v3_ca ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always basicConstraints = CA:true keyUsage = critical, digitalSignature, cRLSign, keyCertSign [ policy_any ] organizationName = supplied organizationalUnitName = supplied commonName = supplied emailAddress = optional [ req ] distinguished_name = req_distinguished_name prompt = no [ req_distinguished_name ] O = Example OU = Example Test CN = Example Test CA EOFCreate the following directories:
# mkdir certs crl newcertsCreate the following files:
# touch index.txt crlnumber index.txt.attrWrite the number 01 in the serial file:
# echo 01 > serialThis command writes a number 01 in the serial file. It is a serial number of the certificate. With each new certificate released by this CA the number increases by one.
Create an OpenSSL root CA key:
# openssl genrsa -out rootCA.key 2048Create a self-signed root Certification Authority certificate:
# openssl req -batch -config ca.cnf \ -x509 -new -nodes -key rootCA.key -sha256 -days 10000 \ -set_serial 0 -extensions v3_ca -out rootCA.crtCreate the key for your username:
# openssl genrsa -out example.user.key 2048This key is generated in the local system which is not secure, therefore, remove the key from the system when the key is stored in the card.
You can create a key directly in the smart card as well. For doing this, follow instructions created by the manufacturer of your smart card.
Create the certificate signing request configuration file (copy this text to your command line in the ca directory):
# cat > req.cnf <<EOF[ req ] distinguished_name = req_distinguished_name prompt = no [ req_distinguished_name ] O = Example OU = Example Test CN = testuser [ req_exts ] basicConstraints = CA:FALSE nsCertType = client, email nsComment = "testuser" subjectKeyIdentifier = hash keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = clientAuth, emailProtection, msSmartcardLogin subjectAltName = otherName:msUPN;UTF8:testuser@EXAMPLE.COM, email:testuser@example.com EOFCreate a certificate signing request for your example.user certificate:
# openssl req -new -nodes -key example.user.key \ -reqexts req_exts -config req.cnf -out example.user.csrConfigure the new certificate. Expiration period is set to 1 year:
# openssl ca -config ca.cnf -batch -notext \ -keyfile rootCA.key -in example.user.csr -days 365 \ -extensions usr_cert -out example.user.crtAt this point, the certification authority and certificates are successfully generated and prepared for import into a smart card.
6.3. Copying certificates to the SSSD directory
SSSD requires access to the trusted Certificate Authority to validate user credentials. Administrators must copy the generated root CA certificate to the /etc/sssd/pki directory, allowing the system to verify the authenticity of smart card logins.
GNOME Display Manager (GDM) requires SSSD. If you use GDM, you need to copy the PEM certificate to the /etc/sssd/pki directory.
Prerequisites
- The local CA authority and certificates have been generated
Procedure
Ensure that you have SSSD installed on the system.
# rpm -q sssdsssd-2.0.0.43.el8_0.3.x86_64Create a
/etc/sssd/pkidirectory:# file /etc/sssd/pki/etc/sssd/pki/: directoryCopy the
rootCA.crtas a PEM file in the/etc/sssd/pki/directory:# cp /tmp/ca/rootCA.crt /etc/sssd/pki/sssd_auth_ca_db.pemNow you have successfully generated the certificate authority and certificates, and you have saved them in the
/etc/sssd/pkidirectory.NoteIf you want to share the Certificate Authority certificates with another application, you can change the location in sssd.conf:
-
SSSD PAM responder:
pam_cert_db_pathin the[pam]section -
SSSD ssh responder:
ca_dbin the[ssh]section
For details, see man page for
sssd.conf.Red Hat recommends keeping the default path and using a dedicated Certificate Authority certificate file for SSSD to make sure that only Certificate Authorities trusted for authentication are listed here.
-
SSSD PAM responder:
6.4. Configuring SSH access using smart card authentication
SSH supports smart card authentication by retrieving public keys directly from the token. You can extract the key by using opensc libraries and add it to the user’s authorized_keys file to enable PIN-based login.
SSH connections require authentication. You can use a password or a certificate. Follow this procedure to enable authentication using a certificate stored on a smart card.
For details about configuring smart cards with authselect, see Configuring smart cards using authselect.
Prerequisites
- The smart card contains your certificate and private key.
- The card is inserted in the reader and connected to the computer.
The
pcscdservice is running on your local machine.For details, see Installing tools for managing and using smart cards.
Procedure
Create a new directory for SSH keys in the home directory of the user who uses smart card authentication:
# mkdir /home/<example_user>/.sshRun the
ssh-keygen -Dcommand with theopensclibrary to retrieve the existing public key paired with the private key on the smart card, and add it to theauthorized_keyslist of the user’s SSH keys directory to enable SSH access with smart card authentication.# ssh-keygen -D /usr/lib64/pkcs11/opensc-pkcs11.so >> ~<example_user>/.ssh/authorized_keysSSH requires access right configuration for the
/.sshdirectory and theauthorized_keysfile. To set or change the access rights, enter:# chown -R <example_user:example_user> ~<example_user>/.ssh/# chmod 700 ~<example_user>/.ssh/# chmod 600 ~<example_user>/.ssh/authorized_keys
Verification
Display the keys:
# cat ~<example_user>/.ssh/authorized_keysThe terminal displays the keys.
Verify the SSH access with the following command:
# ssh -I /usr/lib64/opensc-pkcs11.so -l <example_user> localhost hostname
If the configuration is successful, you are prompted to enter the smart card PIN.
The configuration works now locally. Now you can copy the public key and distribute it to authorized_keys files located on all servers on which you want to use SSH.
6.5. Creating certificate mapping rules when using smart cards
Certificate mapping rules link specific certificate attributes, such as Subject or Issuer, to local system accounts. You can define these rules in SSSD configuration files to authorize users based on the credentials stored on their physical tokens.
You need to create certificate mapping rules in order to log in using the certificate stored on a smart card.
Prerequisites
- The smart card contains your certificate and private key.
- The card is inserted in the reader and connected to the computer.
-
The
pcscdservice is running on your local machine.
Procedure
-
Create a certificate mapping configuration file, such as
/etc/sssd/conf.d/sssd_certmap.conf. Add certificate mapping rules to the
sssd_certmap.conffile:[certmap/shadowutils/otheruser] matchrule = <SUBJECT>.CN=certificate_user.<ISSUER>^CN=Example Test CA,OU=Example Test,O=EXAMPLE$Note that you must define each certificate mapping rule in separate sections. Define each section as follows:
[certmap/<DOMAIN_NAME>/<RULE_NAME>]If SSSD is configured to use the proxy provider to allow smart card authentication for local users instead of AD, IPA, or LDAP, the <RULE_NAME> can simply be the username of the user with the card matching the data provided in the
matchrule.
Verification
Note that to verify SSH access with a smart card, SSH access must be configured. For more information, see Configuring SSH access using smart card authentication.
You can verify the SSH access with the following command:
# ssh -I /usr/lib64/opensc-pkcs11.so -l otheruser localhost hostnameIf the configuration is successful, you are prompted to enter the smart card PIN.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}