Chapter 7. Configuring smart card authentication using authselect
This section describes how to configure your smart card to achieve one of the following aims:
- Enable both password and smart card authentication
- Disable password and enable smart card authentication
- Enable lock on removal
Prerequisites
Authselect installed
The authselect tool configures user authentication on Linux hosts and you can use it to configure smart card authentication parameters. For details about authselect, see Configuring user authentication using authselect.
Smart Card or USB devices supported by RHEL 9
For details, see Smart Card support in RHEL9.
7.1. Certificates eligible for smart cards
Before you can configure a smart card with authselect
, you must import a certificate into your card. You can use the following tools to generate the certificate:
- Active Directory (AD)
Identity Management (IdM)
For details about how to create IdM certificates, see Requesting a new user certificate and exporting it to the client.
Red Hat Certificate System (RHCS)
For details, see Managing Smart Cards with the Enterprise Security Client.
- Third-party Certification Authority (CA)
Local Certification Authority. You can use a certificate generated by the Local Certification Authority if the user is not part of a domain or for testing purposes.
For details about how to create and import local certificates into a smart card, Configuring and importing local certificates to a smart card.
7.2. Configure your system to enable both smart card and password authentication
Follow this procedure to enable both smart card and password authentication on your system.
Prerequisites
- The Smart card contains your certificate and private key.
- The card is inserted into the reader and connected to the computer.
-
The
authselect
tool is installed on your system.
Procedure
Enter the following command to allow smart card and password authentication:
# authselect select sssd with-smartcard --force
At this point, smart card authentication is enabled, however, password authentication will work if you forget your smart card at home.
7.3. Configuring your system to enforce smart card authentication
The authselect
tool enables you to configure smart card authentication on your system and to disable the default password authentication. The authselect
command includes the following options:
-
with-smartcard
— enables smart card authentication in addition to password authentication -
with-smartcard-required
— enables smart card authentication and disables password authentication
The with-smartcard-required
option only enforces exclusive smart card authentication for login services, such as login
, gdm
, xdm
, kdm
, xscreensaver
, gnome-screensaver
, and kscreensaver
. Other services, such as su
or sudo
for switching users, do not use smart card authentication by default and will continue to prompt you for a password.
Prerequisites
- Smart card contains your certificate and private key.
- The card is inserted into the reader and connected to the computer.
-
The
authselect
tool is installed on your local system.
Procedure
Enter the following command to enforce smart card authentication:
# authselect select sssd with-smartcard with-smartcard-required --force
Once you run this command, password authentication will no longer work and you can only log in with a smart card. Ensure smart card authentication is working before running this command or you may be locked out of your system.
7.4. Configuring smart card authentication with lock on removal
The authselect
service enables you to configure your smart card authentication to lock your screen instantly after removing the smart card from the reader. The authselect
command must include the following variables:
-
with-smartcard
— enabling smart card authentication -
with-smartcard-required
— enabling exclusive smart card authentication (authentication with a password is disabled) with-smartcard-lock-on-removal
— enforcing log out after the smart card removalNoteThe
with-smartcard-lock-on-removal
option only works on systems with the GNOME desktop environment. If you are using a system that istty
or console based and you remove your smart card from its reader, you are not automatically locked out of the system.
Prerequisites
- Smart card contains your certificate and private key.
- The card is inserted into the reader and connected to the computer.
-
The
authselect
tool is installed on your local system.
Procedure
Enter the following command to enable smart card authentication, disable password authentication, and enforce lock on removal:
# authselect select sssd with-smartcard with-smartcard-required with-smartcard-lock-on-removal --force
Now, when you remove the card, the screen locks. You must re-insert your smart card to unlock it.