Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 7. Configuring smart card authentication using authselect

Configure smart cards authentication by using the authselect tool to increase workstation security and simplify the user login process. This utility manages system-wide authentication profiles, allowing options ranging from hybrid password access to strict card-only enforcement and automated screen locking.

You can configure your smart card to achieve one of the following goals:

  • Enable both password and smart card authentication
  • Disable password and enable smart card authentication
  • Enable lock on removal

7.1. Certificates eligible for smart cards
Copy link

Smart card configuration relies on valid cryptographic credentials. Before you can configure a smart card with authselect, you must import a certificate into your card. You can provision cards using certificates issued by the following providers:

  • Active Directory (AD)
  • Identity Management (IdM)
  • Red Hat Certificate System (RHCS)
  • Third-party Certification Authority (CA)
  • Local Certification Authority. You can use a certificate generated by the Local Certification Authority if the user is not part of a domain or for testing purposes.

Configure smart card authentication on your system using the authselect tool. You can enable hybrid password and smart card access to provide a backup login method, enforce strict card-only authentication, or configure automatic screen locking when the card is removed.

The authselect command includes the following options for smart card configuration:

  • with-smartcard — enables smart card authentication in addition to password authentication
  • with-smartcard-required — enables smart card authentication and disables password authentication
  • with-smartcard-lock-on-removal — enforces automatic screen lock when the smart card is removed

Prerequisites

  • The smart card contains your certificate and private key.
  • The card is inserted into the reader and connected to the computer.

Procedure

  1. Choose one of the following configuration options based on your security requirements to enable smart card authentication:

    1. Enable both smart card and password authentication: 

      # authselect select sssd with-smartcard --force

      This configuration permits users to authenticate using either a smart card or a password, this ensures access continuity if the smart card is unavailable.

    2. Enforce smart card authentication only: 

      # authselect select sssd with-smartcard with-smartcard-required --force
      Important

      After running this command, users can no longer authenticate using their passwords. Ensure smart card authentication is functional before you apply this change, or the users might be locked out of their systems.

    3. Enforce smart card authentication with automatic lock on removal: 

      # authselect select sssd with-smartcard with-smartcard-required with-smartcard-lock-on-removal --force

      This configuration links the active session to the physical presence of the smart card. Removal of the token triggers an immediate screen lock that requires card re-insertion for access.

  2. Configure SSSD to enable smart card authentication by adding the following line to the [pam] section: 

    [pam]
pam_cert_auth = True

  3. Restart the SSSD service to apply the changes: 

    # systemctl restart sssd
    Note

    Enabling pam_cert_auth = True involves accessing and reading from the smart card, which might take multiple seconds.

7.3. Smart card authentication options in RHEL
Copy link

The authselect command configures system-wide authentication behaviors. You can enforce exclusive smart card usage, enabling hybrid password options, or trigger automatic session locking upon card removal to meet specific security policies.

You can configure how you want smart card authentication to work in a particular Identity Management (IdM) client by using the authselect command, authselect enable-feature <smartcard_option>. The following smart card options are available:

  • with-smartcard: Users can authenticate with the user name and password or with their smart card.

  • with-smartcard-required: Users can authenticate with their smart cards, and password authentication is disabled. You cannot access the system without your smart card. Once you have authenticated with your smart card, you can stay logged in even if your smart card is removed from its reader.

    Note

    The with-smartcard-required option only enforces exclusive smart card authentication for login services, such as login, gdm, xdm, xscreensaver, and gnome-screensaver. For other services, such as su or sudo for switching users, smart card authentication is not enforced and if your smart card is not inserted, you are prompted for a password.

  • with-smartcard-lock-on-removal: Users can authenticate with their smart card. However, if you remove your smart card from its reader, you are automatically locked out of the system. You cannot use password authentication.

    Note

    The with-smartcard-lock-on-removal option only works on systems with the GNOME desktop environment. If you are using a system that is tty or console based and you remove your smart card from its reader, you are not automatically locked out of the system.

Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2026 Red HatBack to top