Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.

Chapter 7. Configuring smart card authentication using authselect


This section describes how to configure your smart card to achieve one of the following aims:

  • Enable both password and smart card authentication
  • Disable password and enable smart card authentication
  • Enable lock on removal

Prerequisites

7.1. Certificates eligible for smart cards

Before you can configure a smart card with authselect, you must import a certificate into your card. You can use the following tools to generate the certificate:

7.2. Configure your system to enable both smart card and password authentication

Follow this procedure to enable both smart card and password authentication on your system.

Prerequisites

  • The Smart card contains your certificate and private key.
  • The card is inserted into the reader and connected to the computer.
  • The authselect tool is installed on your system.

Procedure

  • Enter the following command to allow smart card and password authentication:

    # authselect select sssd with-smartcard --force

At this point, smart card authentication is enabled, however, password authentication will work if you forget your smart card at home.

7.3. Configuring your system to enforce smart card authentication

The authselect tool enables you to configure smart card authentication on your system and to disable the default password authentication. The authselect command includes the following options:

  • with-smartcard — enables smart card authentication in addition to password authentication
  • with-smartcard-required  — enables smart card authentication and disables password authentication
Note

The with-smartcard-required option only enforces exclusive smart card authentication for login services, such as login, gdm, xdm, kdm, xscreensaver, gnome-screensaver, and kscreensaver. Other services, such as su or sudo for switching users, do not use smart card authentication by default and will continue to prompt you for a password.

Prerequisites

  • Smart card contains your certificate and private key.
  • The card is inserted into the reader and connected to the computer.
  • The authselect tool is installed on your local system.

Procedure

  • Enter the following command to enforce smart card authentication:

    # authselect select sssd with-smartcard  with-smartcard-required --force
Note

Once you run this command, password authentication will no longer work and you can only log in with a smart card. Ensure smart card authentication is working before running this command or you may be locked out of your system.

7.4. Configuring smart card authentication with lock on removal

The authselect service enables you to configure your smart card authentication to lock your screen instantly after removing the smart card from the reader. The authselect command must include the following variables:

  • with-smartcard — enabling smart card authentication
  • with-smartcard-required — enabling exclusive smart card authentication (authentication with a password is disabled)
  • with-smartcard-lock-on-removal — enforcing log out after the smart card removal

    Note

    The with-smartcard-lock-on-removal option only works on systems with the GNOME desktop environment. If you are using a system that is tty or console based and you remove your smart card from its reader, you are not automatically locked out of the system.

Prerequisites

  • Smart card contains your certificate and private key.
  • The card is inserted into the reader and connected to the computer.
  • The authselect tool is installed on your local system.

Procedure

  • Enter the following command to enable smart card authentication, disable password authentication, and enforce lock on removal:

    # authselect select sssd  with-smartcard  with-smartcard-required with-smartcard-lock-on-removal --force

Now, when you remove the card, the screen locks. You must re-insert your smart card to unlock it.

Red Hat logoGithubRedditYoutubeTwitter

Lernen

Testen, kaufen und verkaufen

Communitys

Über Red Hat Dokumentation

Wir helfen Red Hat Benutzern, mit unseren Produkten und Diensten innovativ zu sein und ihre Ziele zu erreichen – mit Inhalten, denen sie vertrauen können.

Mehr Inklusion in Open Source

Red Hat hat sich verpflichtet, problematische Sprache in unserem Code, unserer Dokumentation und unseren Web-Eigenschaften zu ersetzen. Weitere Einzelheiten finden Sie in Red Hat Blog.

Über Red Hat

Wir liefern gehärtete Lösungen, die es Unternehmen leichter machen, plattform- und umgebungsübergreifend zu arbeiten, vom zentralen Rechenzentrum bis zum Netzwerkrand.

© 2024 Red Hat, Inc.