Red Hat SummitEste contenido no está disponible en el idioma seleccionado.
Chapter 7. Configuring smart card authentication using authselect
Configure smart cards authentication by using the authselect tool to increase workstation security and simplify the user login process. This utility manages system-wide authentication profiles, allowing options ranging from hybrid password access to strict card-only enforcement and automated screen locking.
You can configure your smart card to achieve one of the following goals:
- Enable both password and smart card authentication
- Disable password and enable smart card authentication
- Enable lock on removal
7.1. Certificates eligible for smart cards
Smart card configuration relies on valid cryptographic credentials. Before you can configure a smart card with authselect, you must import a certificate into your card. You can provision cards using certificates issued by the following providers:
- Active Directory (AD)
- Identity Management (IdM)
- Red Hat Certificate System (RHCS)
- Third-party Certification Authority (CA)
- Local Certification Authority. You can use a certificate generated by the Local Certification Authority if the user is not part of a domain or for testing purposes.
7.2. Configuring smart card authentication with authselect
Configure smart card authentication on your system using the authselect tool. You can enable hybrid password and smart card access to provide a backup login method, enforce strict card-only authentication, or configure automatic screen locking when the card is removed.
The authselect command includes the following options for smart card configuration:
-
with-smartcard— enables smart card authentication in addition to password authentication -
with-smartcard-required— enables smart card authentication and disables password authentication -
with-smartcard-lock-on-removal— enforces automatic screen lock when the smart card is removed
Prerequisites
- The smart card contains your certificate and private key.
- The card is inserted into the reader and connected to the computer.
Procedure
Choose one of the following configuration options based on your security requirements to enable smart card authentication:
Enable both smart card and password authentication:
# authselect select sssd with-smartcard --forceThis configuration permits users to authenticate using either a smart card or a password, this ensures access continuity if the smart card is unavailable.
Enforce smart card authentication only:
# authselect select sssd with-smartcard with-smartcard-required --forceImportantAfter running this command, users can no longer authenticate using their passwords. Ensure smart card authentication is functional before you apply this change, or the users might be locked out of their systems.
Enforce smart card authentication with automatic lock on removal:
# authselect select sssd with-smartcard with-smartcard-required with-smartcard-lock-on-removal --forceThis configuration links the active session to the physical presence of the smart card. Removal of the token triggers an immediate screen lock that requires card re-insertion for access.
Configure SSSD to enable smart card authentication by adding the following line to the
[pam]section:[pam] pam_cert_auth = TrueRestart the SSSD service to apply the changes:
# systemctl restart sssdNoteEnabling
pam_cert_auth = Trueinvolves accessing and reading from the smart card, which might take multiple seconds.
7.3. Smart card authentication options in RHEL
The authselect command configures system-wide authentication behaviors. You can enforce exclusive smart card usage, enabling hybrid password options, or trigger automatic session locking upon card removal to meet specific security policies.
You can configure how you want smart card authentication to work in a particular Identity Management (IdM) client by using the authselect command, authselect enable-feature <smartcard_option>. The following smart card options are available:
-
with-smartcard: Users can authenticate with the user name and password or with their smart card. with-smartcard-required: Users can authenticate with their smart cards, and password authentication is disabled. You cannot access the system without your smart card. Once you have authenticated with your smart card, you can stay logged in even if your smart card is removed from its reader.NoteThe
with-smartcard-requiredoption only enforces exclusive smart card authentication for login services, such aslogin,gdm,xdm,xscreensaver, andgnome-screensaver. For other services, such assuorsudofor switching users, smart card authentication is not enforced and if your smart card is not inserted, you are prompted for a password.with-smartcard-lock-on-removal: Users can authenticate with their smart card. However, if you remove your smart card from its reader, you are automatically locked out of the system. You cannot use password authentication.NoteThe
with-smartcard-lock-on-removaloption only works on systems with the GNOME desktop environment. If you are using a system that isttyor console based and you remove your smart card from its reader, you are not automatically locked out of the system.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}