Red Hat Summit Red Hat SummitApoyoConsolaDesarrolladoresIniciar una pruebaContacto

Este contenido no está disponible en el idioma seleccionado.

Chapter 5. Configuring smart card authentication with the web console for centrally managed users

Configure smart card authentication for centrally managed users in the RHEL web console. This security measure helps to provide physical access control for administrative and regular users.

You can configure smart card authentication in the RHEL web console for users who are centrally managed by:

  • Identity Management
  • Active Directory which is connected in the cross-forest trust with Identity Management

5.1. Prerequisites
Copiar enlace

5.2. Smart-card authentication for centrally managed users
Copiar enlace

Use smart card authentication to provide strong authentication for centrally managed users. This method links the user’s account to a physical credential, enhancing security for systems within the Identity Management domain.

A smart card is a physical device, which can provide personal authentication by using certificates stored on the card. Personal authentication means that you can use smart cards in the same way as user passwords.

You can store user credentials on the smart card in the form of a private key and a certificate. Special software and hardware is used to access them. You insert the smart card into a reader or a USB socket and supply the PIN code for the smart card instead of providing your password.

Identity Management (IdM) supports smart-card authentication with:

Note

If you want to start using smart card authentication, see the hardware requirements: Smart Card support in RHEL8+.

5.3. Enabling smart-card authentication for the web console
Copiar enlace

Enable smart card authentication specifically for the RHEL web console. This lets centrally managed users securely log in by using their smart card credentials and the IdM domain policy.

To use smart-card authentication in the web console, enable this authentication method in the cockpit.conf file. Additionally, you can disable password authentication in the same file.

Prerequisites

Procedure

  1. Log in to the RHEL 10 web console.
  2. Click Terminal.

  3. In the /etc/cockpit/cockpit.conf, set the ClientCertAuthentication to yes: 

    [WebService]
ClientCertAuthentication = yes
    Copy to Clipboard Toggle word wrap

  4. Optional: Disable password-based authentication in cockpit.conf with: 

    [Basic]
action = none
    Copy to Clipboard Toggle word wrap

    This configuration disables password authentication and you must always use the smart card.

  5. Restart the web console to ensure that the cockpit.service accepts the change: 

    # systemctl restart cockpit
    Copy to Clipboard Toggle word wrap

5.4. Logging in to the web console with smart cards
Copiar enlace

You can log in to the RHEL web console with your smart card credentials. This uses the configured smart card policy for secure access by centrally managed users.

Prerequisites

  • A valid certificate stored in your smart card that is associated to a user account created in an Active Directory or Identity Management domain.
  • PIN to unlock the smart card.
  • The smart card has been put into the reader.

Procedure

  1. Log in to the RHEL 10 web console.

    The browser asks you to add the PIN protecting the certificate stored on the smart card.

  2. In the Password Required dialog box, enter PIN and click OK.
  3. In the User Identification Request dialog box, select the certificate stored in the smart card.

  4. Select Remember this decision.

    The system does not open this window next time.

    Note

    This step does not apply to Google Chrome users.

  5. Click OK.

    You are now connected and the web console displays its content.

5.5. Enabling passwordless sudo authentication for smart-card users
Copiar enlace

You can enable passwordless sudo authentication for smart-card users. This enables users to perform administrative tasks without entering a password, further improving operational efficiency and security.

As an alternative, if you use RHEL Identity Management, you can declare the initial web console certificate as trusted for authentication with sudo, SSH, or other services. For that purpose, the web console automatically creates an S4U2Proxy Kerberos ticket in the user session.

In the following example, the web console session runs on host.example.com and is trusted to access its own host with sudo. Additionally, the example steps add a second trusted host - remote.example.com.

Prerequisites

Procedure

  1. Set up constraint delegation rules to list which hosts the ticket can access.

    • Create the following example delegation:

      • Enter the following commands to add a list of target machines a particular rule can access: 

        # ipa servicedelegationtarget-add cockpit-target
        Copy to Clipboard Toggle word wrap 
        # ipa servicedelegationtarget-add-member cockpit-target \ --principals=host/host.example.com@EXAMPLE.COM \ --principals=host/remote.example.com@EXAMPLE.COM
        Copy to Clipboard Toggle word wrap

      • To enable the web console sessions (HTTP/principal) to access that host list, use the following commands: 

        # ipa servicedelegationrule-add cockpit-delegation
        Copy to Clipboard Toggle word wrap 
        # ipa servicedelegationrule-add-member cockpit-delegation \ --principals=HTTP/host.example.com@EXAMPLE.COM
        Copy to Clipboard Toggle word wrap 
        # ipa servicedelegationrule-add-target cockpit-delegation \ --servicedelegationtargets=cockpit-target
        Copy to Clipboard Toggle word wrap

  2. Enable GSS authentication in the corresponding services:

    1. For sudo, enable the pam_sss_gss module in the /etc/sssd/sssd.conf file:

      1. As root, add an entry for your domain to the /etc/sssd/sssd.conf configuration file. 

        [domain/example.com]
pam_gssapi_services = sudo, sudo-i
        Copy to Clipboard Toggle word wrap

      2. Enable the module in the /etc/pam.d/sudo file on the first line. 

        auth sufficient pam_sss_gss.so
        Copy to Clipboard Toggle word wrap

    2. For SSH, update the GSSAPIAuthentication option in the /etc/ssh/sshd_config file to yes.

      Warning

      The delegated S4U ticket is not forwarded to remote SSH hosts when connecting to them from the web console. Authenticating to sudo on a remote host with your ticket will not work.

Verification

  1. Log in to the web console using a smart card.
  2. Click the Limited access button.
  3. Authenticate using your smart card.
  4. Alternatively: Try to connect to a different host with SSH.

5.6. Limiting user sessions and memory to prevent a DoS attack
Copiar enlace

Limit user sessions and memory consumption for the web console service by changing the corresponding systemd configuration. This measure helps mitigate the risk of denial-of-service (DoS) attacks on the cockpit-ws web server.

A certificate authentication is protected by separating and isolating instances of the cockpit-ws web server against attackers who wants to impersonate another user. However, this introduces a potential DoS attack: A remote attacker could create a large number of certificates and send a large number of HTTPS requests to cockpit-ws each using a different certificate.

To prevent such DoS attacks, the collective resources of these web server instances are limited. By default, limits on the number of connections and memory usage are set to 200 threads and 75 % as a soft limit or 90 % as a hard limit.

The example procedure demonstrates resource protection by limiting the number of connections and the amount of allocated memory.

Procedure

  1. In the terminal, open the system-cockpithttps.slice configuration file: 

    # systemctl edit system-cockpithttps.slice
    Copy to Clipboard Toggle word wrap

  2. Limit the TasksMax to 100 and CPUQuota to 30%: 

    [Slice]
# change existing value
TasksMax=100
# add new restriction
CPUQuota=30%
    Copy to Clipboard Toggle word wrap

  3. To apply the changes, restart the system: 

    # systemctl daemon-reload
    Copy to Clipboard Toggle word wrap 
    # systemctl stop cockpit
    Copy to Clipboard Toggle word wrap
Red Hat logoGithubredditYoutubeTwitter

Aprender

Pruebe, compre y venda

Comunidades

Acerca de la documentación de Red Hat

Ayudamos a los usuarios de Red Hat a innovar y alcanzar sus objetivos con nuestros productos y servicios con contenido en el que pueden confiar. Explore nuestras recientes actualizaciones.

Hacer que el código abierto sea más inclusivo

Red Hat se compromete a reemplazar el lenguaje problemático en nuestro código, documentación y propiedades web. Para más detalles, consulte el Blog de Red Hat.

Acerca de Red Hat

Ofrecemos soluciones reforzadas que facilitan a las empresas trabajar en plataformas y entornos, desde el centro de datos central hasta el perímetro de la red.

Theme

© 2026 Red HatVolver arriba