53.4. Configuring a web console to allow a user authenticated with a smart card to run sudo without being asked to authenticate again

Procedure

1. Create a list of the target hosts that can be accessed by the delegation rule:

   1. Create a service delegation target:

      $ ipa servicedelegationtarget-add cockpit-target

   2. Add the target host to the delegation target:

      $ ipa servicedelegationtarget-add-member cockpit-target \
        --principals=host/myhost.idm.example.com@IDM.EXAMPLE.COM

2. Allow cockpit sessions to access the target host list by creating a service delegation rule and adding the HTTP service Kerberos principal to it:

   1. Create a service delegation rule:

      $ ipa servicedelegationrule-add cockpit-delegation

   2. Add the web console service to the delegation rule:

      $ ipa servicedelegationrule-add-member cockpit-delegation \
        --principals=HTTP/myhost.idm.example.com@IDM.EXAMPLE.COM

   3. Add the delegation target to the delegation rule:

      $ ipa servicedelegationrule-add-target cockpit-delegation \
        --servicedelegationtargets=cockpit-target

3. Enable pam_sss_gss, the PAM module for authenticating users over the Generic Security Service Application Program Interface (GSSAPI) in cooperation with the System Security Services Daemon (SSSD):

   1. Open the /etc/sssd/sssd.conf file for editing.

   2. Specify that pam_sss_gss can provide authentication for the sudo and sudo -i commands in IdM your domain:

      [domain/idm.example.com]
      pam_gssapi_services = sudo, sudo-i

   3. Save and exit the file.
   4. Open the /etc/pam.d/sudo file for editing.

   5. Insert the following line to the top of the #%PAM-1.0 list to allow, but not require, GSSAPI authentication for sudo commands:

      auth sufficient pam_sss_gss.so

   6. Save and exit the file.

4. Restart the SSSD service so that the above changes take effect immediately:

   $ systemctl restart sssd