11.4. Setting up a Kerberos Client for Smart Cards
Smart cards can be used with Kerberos, but it requires additional configuration to recognize the X.509 (SSL) user certificates on the smart cards:
- Install the required PKI/OpenSSL package, along with the other client packages:
[root@server ~]# yum install krb5-pkinit [root@server ~]# yum install krb5-workstation krb5-libs
- Edit the
/etc/krb5.conf
configuration file to add a parameter for the public key infrastructure (PKI) to the[realms]
section of the configuration. Thepkinit_anchors
parameter sets the location of the CA certificate bundle file.[realms] EXAMPLE.COM = { kdc = kdc.example.com.:88 admin_server = kdc.example.com default_domain = example.com ... pkinit_anchors = FILE:/usr/local/example.com.crt }
- Add the PKI module information to the PAM configuration for both smart card authentication (
/etc/pam.d/smartcard-auth
) and system authentication (/etc/pam.d/system-auth
). The line to be added to both files is as follows:auth optional pam_krb5.so use_first_pass no_subsequent_prompt preauth_options=X509_user_identity=PKCS11:/usr/lib64/pkcs11/opensc-pkcs11.so
If the OpenSC module does not work as expected, use the module from the coolkey package:/usr/lib64/pkcs11/libcoolkeypk11.so
. In this case, consider contacting Red Hat Technical Support or filing a Bugzilla report about the problem.