9.7. Smart Cards
Authentication based on smart cards is an alternative to passwords. User credentials are stored on the smart card, and special software and hardware is used to access them. In order to authenticate this way, the user must place the smart card into a reader and then supply the PIN code for the smart card.
Red Hat Enterprise Linux 6 clients can use local smart card authentication if they run SSSD and are enrolled with an Identity Management server based on Red Hat Enterprise Linux 7.3 or later.
9.7.1. Smart Card and Smart Card Reader Support in Identity Management
If your smart card is supported by the coolkey package, the required PKCS #11 module is already present in the central
/etc/pki/nssdb/ NSS database after the installation of these packages.
If your smart card is not supported, run the following steps:
- Add the required PKCS #11 module manually using the
modutilutility. For example:[root@ipaclient ~]# modutil -dbdir /etc/pki/nssdb/ -add "My PKCS#11 module" -libfile libmypkcs11.so ... Module "My PKCS#11 Module" added to database.
For detailed information on usingmodutil, see the modutil(1) man page. - Add all certificate authority (CA) certificates to the NSS database that are required to validate the certificate on the smart card. For example, to add the CA certificate in the
ca_certificate.pemfile to the NSS database:[root@ipaclient ~]# certutil -A -d /etc/pki/nssdb/ -n 'CA certificate' -t CT,C,C -a -i ca_certificate.pem
For detailed information on usingcertutil, see the certutil(1) man page.
9.7.2. Exporting a Certificate From a Smart Card
- Place the smart card into the reader.
- Run the following command to list the certificates on the smart card:
[user@ipaclient ~]$ certutil -L -d /etc/pki/nssdb/ -h all Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI my_certificate CT,C,CIn the output, locate the certificate to use for authentication, and note its nickname. - To extract the certificate in Base64 format to
user.crt, use the nickname from the previous step:[user@ipaclient ~]$ certutil -L -d /etc/pki/nssdb/ -n 'my_certificate' -r | base64 -w 0 > user.crt
Thebase64utility is part of the coreutils package.
9.7.3. Storing Smart Card Certificates for IdM Users
To store a smart card certificate for a user, add the certificate on a Red Hat Enterprise Linux 7 server. See Managing Certificates Issued by External CAs in the Linux Domain Identity, Authentication, and Policy Guide.
9.7.4. Smart Card Authentication on Identity Management Clients
Red Hat Identity Management (IdM) supports two smart card-based authentication options:
- Local authentication
- Text console
- Graphical console, such as the Gnome Display Manager (GDM)
- Local authentication services, like
su, orsudo
- Remote authentication with
ssh - Certificates on a smart card are stored together with the PIN-protected SSH private key.
Note
IdM only supports the above-mentioned local authentication services and
ssh for smart card authentication. Other services, such as FTP, are not supported.
With SSSD-based smart card authentication configured, the system prompts for the smart card PIN code after the user attempts to log in. The user is successfully authenticated if the supplied PIN is correct, the certificate on the smart card is valid,and belongs to the user attempting to log in, and other configurable criteria are met.
9.7.4.1. Configuring Smart Card Authentication on an IdM Client
To be able to authenticate using smart cards on a client, run the following steps:
- To enable smart card support, allow SSSD to prompt for password, one-time password (OTP), or the smart card PIN. To do this, modify the
authlines of the/etc/pam.d/password-authand/etc/pam.d/system-authPAM configuration files.- Remove the following lines of the default
/etc/pam.d/password-auth:auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so
Replace them with these lines:auth required pam_env.so auth [default=1 success=ok] pam_localuser.so auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so forward_pass auth required pam_deny.so
- Similarly, remove the following lines of the default
/etc/pam.d/system-auth:auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so
Replace them with these lines:auth required pam_env.so auth [default=1 success=ok] pam_localuser.so auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so forward_pass auth required pam_deny.so
- Set the following option in your
/etc/sssd/sssd.conftotrue:[pam] pam_cert_auth=true
- Restart SSSD:
[root@ipaclient ~]# systemctl restart sssd
9.7.4.2. SSH Log in Using a Smart Card
If you are logging in with
ssh when authenticating with a smart card, you have to additionally specify the following path to the smart card reader module. For example:
$ ssh -I /usr/lib/libmypkcs11.so -l user@example.com host.example.com Enter PIN for 'Smart Card':
