Red Hat SummitChapter 7. Configuring smart card authentication using authselect
Configure smart cards by using the authselect tool. This utility manages system-wide authentication profiles, allowing options ranging from hybrid password access to strict card-only enforcement and automated screen locking.
You can configure your smart card to achieve one of the following aims:
- Enable both password and smart card authentication
- Disable password and enable smart card authentication
- Enable lock on removal
7.1. Prerequisites
The
authselecttool is installed on your systemThe
authselecttool configures user authentication on Linux hosts and you can use it to configure smart card authentication parameters. For details aboutauthselect, see Configuring user authentication using authselect.Supported Smart Card or USB devices.
For details, see Smart Card support in RHEL.
7.2. Certificates eligible for smart cards
Smart card configuration relies on valid cryptographic credentials. Before you can configure a smart card with authselect, you must import a certificate into your card. You can provision cards using certificates issued by the following providers:
- Active Directory (AD)
Identity Management (IdM)
For details about how to create IdM certificates, see Requesting a new user certificate and exporting it to the client.
Red Hat Certificate System (RHCS)
For details, see Managing Smart Cards with the Enterprise Security Client.
- Third-party Certification Authority (CA)
- Local Certification Authority. You can use a certificate generated by the Local Certification Authority if the user is not part of a domain or for testing purposes.
7.3. Configure your system to enable both smart card and password authentication
The with-smartcard profile enables a flexible hybrid authentication model. This setting permits users to authenticate using either a physical token or a standard password, ensuring access continuity if the smart card is unavailable.
Prerequisites
- The Smart card contains your certificate and private key.
- The card is inserted into the reader and connected to the computer.
-
The
authselecttool is installed on your system.
Procedure
Enter the following command to allow smart card and password authentication:
authselect select sssd with-smartcard --force
# authselect select sssd with-smartcard --forceCopy to Clipboard Copied! Toggle word wrap Toggle overflow At this point, smart card authentication is enabled, however, password authentication will work if you forget your smart card at home.
7.4. Configuring your system to enforce smart card authentication
Strict security environments often require disabling password access entirely. The with-smartcard-required option configures the system to reject password attempts for login services, mandating the presence of a valid smart card for entry.
The authselect tool enables you to configure smart card authentication on your system and to disable the default password authentication. The authselect command includes the following options:
-
with-smartcard— enables smart card authentication in addition to password authentication -
with-smartcard-required— enables smart card authentication and disables password authentication
The with-smartcard-required option only enforces exclusive smart card authentication for login services, such as login, gdm, xdm, kdm, xscreensaver, gnome-screensaver, and kscreensaver. Other services, such as su or sudo for switching users, do not use smart card authentication by default and will continue to prompt you for a password.
Prerequisites
- Smart card contains your certificate and private key.
- The card is inserted into the reader and connected to the computer.
-
The
authselecttool is installed on your local system.
Procedure
Enter the following command to enforce smart card authentication:
authselect select sssd with-smartcard with-smartcard-required --force
# authselect select sssd with-smartcard with-smartcard-required --forceCopy to Clipboard Copied! Toggle word wrap Toggle overflow NoteOnce you run this command, password authentication will no longer work and you can only log in with a smart card. Ensure smart card authentication is working before running this command or you may be locked out of your system.
7.5. Configuring smart card authentication with lock on removal
The with-smartcard-lock-on-removal option enhances physical security for GNOME desktop sessions. This setting triggers an immediate screen lock when the user withdraws the card from the reader, requiring the card’s return to unlock the station.
The authselect service enables you to configure your smart card authentication to lock your screen instantly after removing the smart card from the reader. The authselect command must include the following variables:
-
with-smartcard— enabling smart card authentication -
with-smartcard-required— enabling exclusive smart card authentication (authentication with a password is disabled) with-smartcard-lock-on-removal— enforcing log out after the smart card removalNoteThe
with-smartcard-lock-on-removaloption only works on systems with the GNOME desktop environment. If you are using a system that isttyor console based and you remove your smart card from its reader, you are not automatically locked out of the system.
Prerequisites
- Smart card contains your certificate and private key.
- The card is inserted into the reader and connected to the computer.
-
The
authselecttool is installed on your local system.
Procedure
Enter the following command to enable smart card authentication, disable password authentication, and enforce lock on removal:
authselect select sssd with-smartcard with-smartcard-required with-smartcard-lock-on-removal --force
# authselect select sssd with-smartcard with-smartcard-required with-smartcard-lock-on-removal --forceCopy to Clipboard Copied! Toggle word wrap Toggle overflow Now, when you remove the card, the screen locks. You must re-insert your smart card to unlock it.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}