Este contenido no está disponible en el idioma seleccionado.
Chapter 6. Configuring smart card authentication with local certificates
To configure smart card authentication with local certificates:
- The host is not connected to a domain.
- You want to authenticate with a smart card on this host.
- You want to configure SSH access using smart card authentication.
-
You want to configure the smart card with
authselect
.
Use the following configuration to accomplish this scenario:
Obtain a user certificate for the user who wants to authenticate with a smart card. The certificate should be generated by a trustworthy Certification Authority used in the domain.
If you cannot get the certificate, you can generate a user certificate signed by a local certificate authority for testing purposes,
- Store the certificate and private key in a smart card.
- Configure the smart card authentication for SSH access.
If a host can be part of the domain, add the host to the domain and use certificates generated by Active Directory or Identity Management Certification Authority.
For details about how to create IdM certificates for a smart card, see Configuring Identity Management for smart card authentication.
Prerequisites
Authselect installed
The authselect tool configures user authentication on Linux hosts and you can use it to configure smart card authentication parameters. For details about authselect, see Explaining authselect.
Smart Card or USB devices supported by RHEL 8
For details, see Smart Card support in RHEL8.
6.1. Creating local certificates
Follow this procedure to perform the following tasks:
- Generate the OpenSSL certificate authority
- Create a certificate signing request
The following steps are intended for testing purposes only. Certificates generated by a local self-signed Certificate Authority are not as secure as using AD, IdM, or RHCS Certification Authority. You should use a certificate generated by your enterprise Certification Authority even if the host is not part of the domain.
Procedure
Create a directory where you can generate the certificate, for example:
# mkdir /tmp/ca # cd /tmp/ca
Set up the certificate (copy this text to your command line in the
ca
directory):cat > ca.cnf <<EOF [ ca ] default_ca = CA_default [ CA_default ] dir = . database = \$dir/index.txt new_certs_dir = \$dir/newcerts certificate = \$dir/rootCA.crt serial = \$dir/serial private_key = \$dir/rootCA.key RANDFILE = \$dir/rand default_days = 365 default_crl_days = 30 default_md = sha256 policy = policy_any email_in_dn = no name_opt = ca_default cert_opt = ca_default copy_extensions = copy [ usr_cert ] authorityKeyIdentifier = keyid, issuer [ v3_ca ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always basicConstraints = CA:true keyUsage = critical, digitalSignature, cRLSign, keyCertSign [ policy_any ] organizationName = supplied organizationalUnitName = supplied commonName = supplied emailAddress = optional [ req ] distinguished_name = req_distinguished_name prompt = no [ req_distinguished_name ] O = Example OU = Example Test CN = Example Test CA EOF
Create the following directories:
# mkdir certs crl newcerts
Create the following files:
# touch index.txt crlnumber index.txt.attr
Write the number 01 in the serial file:
# echo 01 > serial
This command writes a number 01 in the serial file. It is a serial number of the certificate. With each new certificate released by this CA the number increases by one.
Create an OpenSSL root CA key:
# openssl genrsa -out rootCA.key 2048
Create a self-signed root Certification Authority certificate:
# openssl req -batch -config ca.cnf \ -x509 -new -nodes -key rootCA.key -sha256 -days 10000 \ -set_serial 0 -extensions v3_ca -out rootCA.crt
Create the key for your username:
# openssl genrsa -out example.user.key 2048
This key is generated in the local system which is not secure, therefore, remove the key from the system when the key is stored in the card.
You can create a key directly in the smart card as well. For doing this, follow instructions created by the manufacturer of your smart card.
Create the certificate signing request configuration file (copy this text to your command line in the ca directory):
cat > req.cnf <<EOF [ req ] distinguished_name = req_distinguished_name prompt = no [ req_distinguished_name ] O = Example OU = Example Test CN = testuser [ req_exts ] basicConstraints = CA:FALSE nsCertType = client, email nsComment = "testuser" subjectKeyIdentifier = hash keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = clientAuth, emailProtection, msSmartcardLogin subjectAltName = otherName:msUPN;UTF8:testuser@EXAMPLE.COM, email:testuser@example.com EOF
Create a certificate signing request for your example.user certificate:
# openssl req -new -nodes -key example.user.key \ -reqexts req_exts -config req.cnf -out example.user.csr
Configure the new certificate. Expiration period is set to 1 year:
# openssl ca -config ca.cnf -batch -notext \ -keyfile rootCA.key -in example.user.csr -days 365 \ -extensions usr_cert -out example.user.crt
At this point, the certification authority and certificates are successfully generated and prepared for import into a smart card.
6.2. Copying certificates to the SSSD directory
GNOME Desktop Manager (GDM) requires SSSD. If you use GDM, you need to copy the PEM certificate to the /etc/sssd/pki
directory.
Prerequisites
- The local CA authority and certificates have been generated
Procedure
Ensure that you have SSSD installed on the system.
# rpm -q sssd sssd-2.0.0.43.el8_0.3.x86_64
Create a
/etc/sssd/pki
directory:# file /etc/sssd/pki /etc/sssd/pki/: directory
Copy the
rootCA.crt
as a PEM file in the/etc/sssd/pki/
directory:# cp /tmp/ca/rootCA.crt /etc/sssd/pki/sssd_auth_ca_db.pem
Now you have successfully generated the certificate authority and certificates, and you have saved them in the /etc/sssd/pki
directory.
If you want to share the Certificate Authority certificates with another application, you can change the location in sssd.conf:
-
SSSD PAM responder:
pam_cert_db_path
in the[pam]
section -
SSSD ssh responder:
ca_db
in the[ssh]
section
For details, see man page for sssd.conf
.
Red Hat recommends keeping the default path and using a dedicated Certificate Authority certificate file for SSSD to make sure that only Certificate Authorities trusted for authentication are listed here.
6.3. Installing tools for managing and using smart cards
Prerequisites
-
The
gnutls-utils
package is installed. -
The
opensc
package is installed. -
The
pcscd
service is running.
Before you can configure your smart card, you must install the corresponding tools, which can generate certificates and start the pscd
service.
Procedure
Install the
opensc
andgnutls-utils
packages:# yum -y install opensc gnutls-utils
Start the
pcscd
service.# systemctl start pcscd
Verification
Verify that the
pcscd
service is up and running# systemctl status pcscd
6.4. Preparing your smart card and uploading your certificates and keys to your smart card
Follow this procedure to configure your smart card with the pkcs15-init
tool, which helps you to configure:
- Erasing your smart card
- Setting new PINs and optional PIN Unblocking Keys (PUKs)
- Creating a new slot on the smart card
- Storing the certificate, private key, and public key in the slot
- If required, locking the smart card settings as certain smart cards require this type of finalization
The pkcs15-init
tool may not work with all smart cards. You must use the tools that work with the smart card you are using.
Prerequisites
The
opensc
package, which includes thepkcs15-init
tool, is installed.For more details, see Installing tools for managing and using smart cards.
- The card is inserted in the reader and connected to the computer.
-
You have a private key, a public key, and a certificate to store on the smart card. In this procedure,
testuser.key
,testuserpublic.key
, andtestuser.crt
are the names used for the private key, public key, and the certificate. - You have your current smart card user PIN and Security Officer PIN (SO-PIN).
Procedure
Erase your smart card and authenticate yourself with your PIN:
$ pkcs15-init --erase-card --use-default-transport-keys Using reader with a card: Reader name PIN [Security Officer PIN] required. Please enter PIN [Security Officer PIN]:
The card has been erased.
Initialize your smart card, set your user PIN and PUK, and your Security Officer PIN and PUK:
$ pkcs15-init --create-pkcs15 --use-default-transport-keys \ --pin 963214 --puk 321478 --so-pin 65498714 --so-puk 784123 Using reader with a card: Reader name
The
pcks15-init
tool creates a new slot on the smart card.Set a label and the authentication ID for the slot:
$ pkcs15-init --store-pin --label testuser \ --auth-id 01 --so-pin 65498714 --pin 963214 --puk 321478 Using reader with a card: Reader name
The label is set to a human-readable value, in this case,
testuser
. Theauth-id
must be two hexadecimal values, in this case it is set to01
.Store and label the private key in the new slot on the smart card:
$ pkcs15-init --store-private-key testuser.key --label testuser_key \ --auth-id 01 --id 01 --pin 963214 Using reader with a card: Reader name
NoteThe value you specify for
--id
must be the same when storing your private key and storing your certificate in the next step. Specifying your own value for--id
is recommended as otherwise a more complicated value is calculated by the tool.Store and label the certificate in the new slot on the smart card:
$ pkcs15-init --store-certificate testuser.crt --label testuser_crt \ --auth-id 01 --id 01 --format pem --pin 963214 Using reader with a card: Reader name
Optional: Store and label the public key in the new slot on the smart card:
$ pkcs15-init --store-public-key testuserpublic.key --label testuserpublic_key --auth-id 01 --id 01 --pin 963214 Using reader with a card: Reader name
NoteIf the public key corresponds to a private key or certificate, specify the same ID as the ID of the private key or certificate.
Optional: Certain smart cards require you to finalize the card by locking the settings:
$ pkcs15-init -F
At this stage, your smart card includes the certificate, private key, and public key in the newly created slot. You have also created your user PIN and PUK and the Security Officer PIN and PUK.
6.5. Configuring SSH access using smart card authentication
SSH connections require authentication. You can use a password or a certificate. Follow this procedure to enable authentication using a certificate stored on a smart card.
For details about configuring smart cards with authselect
, see Configuring smart cards using authselect.
Prerequisites
- The smart card contains your certificate and private key.
- The card is inserted in the reader and connected to the computer.
- Your username matches the Common Name (CN) or User ID (UID) in the certificate’s SUBJECT.
The
pcscd
service is running on your local machine.For details, see Installing tools for managing and using smart cards.
Procedure
Create a new directory for SSH keys in the home directory of the user who uses smart card authentication:
# mkdir /home/example.user/.ssh
Run the
ssh-keygen -D
command with theopensc
library to retrieve the existing public key paired with the private key on the smart card, and add it to theauthorized_keys
list of the user’s SSH keys directory to enable SSH access with smart card authentication.# ssh-keygen -D /usr/lib64/pkcs11/opensc-pkcs11.so >> ~example.user/.ssh/authorized_keys
SSH requires access right configuration for the
/.ssh
directory and theauthorized_keys
file. To set or change the access rights, enter:# chown -R example.user:example.user ~example.user/.ssh/ # chmod 700 ~example.user/.ssh/ # chmod 600 ~example.user/.ssh/authorized_keys
Verification
Display the keys:
# cat ~example.user/.ssh/authorized_keys
The terminal displays the keys.
You can verify the SSH access with the following command:
# ssh -I /usr/lib64/opensc-pkcs11.so -l example.user localhost hostname
If the configuration is successful, you are prompted to enter the smart card PIN.
The configuration works now locally. Now you can copy the public key and distribute it to authorized_keys
files located on all servers on which you want to use SSH.