Red Hat SummitCe contenu n'est pas disponible dans la langue sélectionnée.
Chapter 7. Configuring smart card authentication using authselect
Configure smart cards authentication by using the authselect tool to increase workstation security and simplify the user login process. This utility manages system-wide authentication profiles, allowing options ranging from hybrid password access to strict card-only enforcement and automated screen locking.
You can configure your smart card to achieve one of the following goals:
- Enable both password and smart card authentication
- Disable password and enable smart card authentication
- Enable lock on removal
Prerequisites
The
authselecttool is installed on your systemThe
authselecttool configures user authentication on Linux hosts and you can use it to configure smart card authentication parameters. For details aboutauthselect, see Configuring user authentication using authselect.Smart Card or USB devices supported by RHEL 8
For details, see Smart Card support in RHEL 8.
7.1. Certificates eligible for smart cards
Before you can configure a smart card with authselect, you must import a certificate into your card. You can use the following tools to generate the certificate:
- Active Directory (AD)
Identity Management (IdM)
For details about how to create IdM certificates, see Requesting a new user certificate and exporting it to the client.
Red Hat Certificate System (RHCS)
For details, see Managing Smart Cards with the Enterprise Security Client.
- Third-party Certification Authority (CA)
Local Certification Authority. You can use a certificate generated by the Local Certification Authority if the user is not part of a domain or for testing purposes.
For details about how to create and import local certificates into a smart card, Configuring and importing local certificates to a smart card.
7.2. Configuring smart card authentication with authselect
Configure smart card authentication on your system using the authselect tool. You can enable hybrid password and smart card access to provide a backup login method, enforce strict card-only authentication, or configure automatic screen locking when the card is removed.
The authselect command includes the following options for smart card configuration:
-
with-smartcard— enables smart card authentication in addition to password authentication -
with-smartcard-required— enables smart card authentication and disables password authentication -
with-smartcard-lock-on-removal— enforces automatic screen lock when the smart card is removed
Prerequisites
- The smart card contains your certificate and private key.
- The card is inserted into the reader and connected to the computer.
-
The
authselecttool is installed on your system.
Procedure
Choose one of the following configuration options based on your security requirements to enable smart card authentication:
Enable both smart card and password authentication:
# authselect select sssd with-smartcard --forceThis configuration permits users to authenticate using either a smart card or a password, this ensures access continuity if the smart card is unavailable.
Enforce smart card authentication only:
# authselect select sssd with-smartcard with-smartcard-required --forceImportantAfter running this command, users can no longer authenticate using their passwords. Ensure smart card authentication is functional before you apply this change, or the users might be locked out of their systems.
Enforce smart card authentication with automatic lock on removal:
# authselect select sssd with-smartcard with-smartcard-required with-smartcard-lock-on-removal --forceThis configuration links the active session to the physical presence of the smart card. Removal of the token triggers an immediate screen lock that requires card re-insertion for access.
Configure SSSD to enable smart card authentication by adding the following line to the
[pam]section:[pam] pam_cert_auth = TrueRestart the SSSD service to apply the changes:
# systemctl restart sssdNoteEnabling
pam_cert_auth = Trueinvolves accessing and reading from the smart card, which might take multiple seconds.
7.3. Smart card authentication options in RHEL
The authselect command configures system-wide authentication behaviors. You can enforce exclusive smart card usage, enabling hybrid password options, or trigger automatic session locking upon card removal to meet specific security policies.
You can configure how you want smart card authentication to work in a particular Identity Management (IdM) client by using the authselect command, authselect enable-feature <smartcard_option>. The following smart card options are available:
-
with-smartcard: Users can authenticate with the user name and password or with their smart card. with-smartcard-required: Users can authenticate with their smart cards, and password authentication is disabled. You cannot access the system without your smart card. Once you have authenticated with your smart card, you can stay logged in even if your smart card is removed from its reader.NoteThe
with-smartcard-requiredoption only enforces exclusive smart card authentication for login services, such aslogin,gdm,xdm,xscreensaver, andgnome-screensaver. For other services, such assuorsudofor switching users, smart card authentication is not enforced and if your smart card is not inserted, you are prompted for a password.with-smartcard-lock-on-removal: Users can authenticate with their smart card. However, if you remove your smart card from its reader, you are automatically locked out of the system. You cannot use password authentication.NoteThe
with-smartcard-lock-on-removaloption only works on systems with the GNOME desktop environment. If you are using a system that isttyor console based and you remove your smart card from its reader, you are not automatically locked out of the system.
For more information, see Configuring smart cards using authselect.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}