3.5. Setting up a Kerberos Client for Smart Cards

Smart cards can be used with Kerberos, but it requires additional configuration to recognize the X.509 (SSL) user certificates on the smart cards:

Install the required PKI/OpenSSL package, along with the other client packages:

yum install krb5-pkinit-openssl
yum install krb5-workstation krb5-libs krb5-auth-dialog

[root@server ~]# yum install krb5-pkinit-openssl
[root@server ~]# yum install krb5-workstation krb5-libs krb5-auth-dialog

Copy to Clipboard

Toggle word wrap

Edit the /etc/krb5.conf configuration file to add a parameter for the public key infrastructure (PKI) to the [realms] section of the configuration. The pkinit_anchors parameter sets the location of the CA certificate bundle file.

[realms]
  EXAMPLE.COM = {
    kdc = kdc.example.com.:88
    admin_server = kdc.example.com
    default_domain = example.com
    ...
    pkinit_anchors = FILE:/usr/local/example.com.crt
 }

[realms]
  EXAMPLE.COM = {
    kdc = kdc.example.com.:88
    admin_server = kdc.example.com
    default_domain = example.com
    ...
    pkinit_anchors = FILE:/usr/local/example.com.crt
 }

Copy to Clipboard

Toggle word wrap

Add the PKI module information to the PAM configuration for both smart card authentication (/etc/pam.d/smartcard-auth) and system authentication (/etc/pam.d/system-auth). The line to be added to both files is as follows:

auth        optional      pam_krb5.so use_first_pass no_subsequent_prompt preauth_options=X509_user_identity=PKCS11:/usr/lib64/pkcs11/libcoolkeypk11.so

auth        optional      pam_krb5.so use_first_pass no_subsequent_prompt preauth_options=X509_user_identity=PKCS11:/usr/lib64/pkcs11/libcoolkeypk11.so

Copy to Clipboard

Toggle word wrap

返回顶部

此内容没有您所选择的语言版本。

3.5. Setting up a Kerberos Client for Smart Cards

学习

尝试、购买和销售

社区

关于红帽文档

让开源更具包容性

關於紅帽

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links