Chat now with support
Chat with Support

Safeguard Authentication Services 5.1.1 - Authentication Services for Smart Cards Administration Guide

Privileged Access Suite for Unix Introducing Safeguard Authentication Services for Smart Cards Installing Safeguard Authentication Services for Smart Cards Configuring Safeguard Authentication Services for Smart Cards
Configuring the vendor’s PKCS#11 library Configuring the card slot for your PKCS#11 library Configuring PAM applications for smart card login Configuring certificates and CRLs Locking the screen saver upon card removal (macOS)
Testing Safeguard Authentication Services for Smart Cards Troubleshooting

Disabling smart card login

To disable smart card Login

  1. Log in and open a root shell.
  2. Run the command:
    vastool smartcard unconfigure pam <service>

    where <service> is the name of the service (such as, gdm or kdm) for which you want to enable smart card login.

Configuring applications for smart card and password login

When you install Safeguard Authentication Services, most applications are configured to allow login to Active Directory with a password, or to a local user account.

To enable users to also log in with a smart card for a given service

  1. Log in and open a root shell.
  2. Run the command:

    vastool smartcard configure pam <service>

    where <service> is the name of the service to enable for smart card login.

This configures either the /etc/pam.conf file or /etc/pam.d/<service> file depending on your operating system and existing PAM configuration.

Example: Application configured for Redhat Enterprise Linux 5.0 login

After running the vastool smartcard configure pam gdm command, the GDM pam configuration on a Redhat Enterprise Linux 4.0 looks like this:

/etc/pam.d/gdm
#%PAM-1.0
auth required pam_env.so
auth [ignore=ignore success=done default=die] pam_vas_smartcard.so
create_homedir
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account [ignore=ignore success=done default=die] pam_vas_smartcard.so
account required pam_stack.so service=system-auth
password [ignore=ignore success=done default=die] pam_vas_smartcard.so
password required pam_stack.so service=system-auth
session required pam_vas_smartcard.so create_homedir
session required pam_stack.so service=system-auth
session optional pam_console.so

Note that when you joined the domain, it configures the pam_stack.so module for Safeguard Authentication Services password login. You can see the configuration in the /etc/pam.d/system-auth file:

/etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth [ignore=ignore success=done default=die] pam_vas3.so create_homedir
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth required /lib/security/$ISA/pam_deny.so
account [ignore=ignore success=done default=die] pam_vas3.so
account required /lib/security/$ISA/pam_unix.so
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account required /lib/security/$ISA/pam_permit.so
password [ignore=ignore success=done default=die] pam_vas3.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required pam_vas3.so create_homedir
session required /lib/security/$ISA/pam_unix.so

 

Configuring applications for smart card login

To configure an application to only allow smart card login you must first disable password-based login for that application. There are two ways to do this. You can either remove the pam_vas3-specific entries from the PAM configuration file or you can run the vastool unconfigure pam command.

The vastool unconfigure pam command disables Safeguard Authentication Services password login for all applications because it removes all existing Safeguard Authentication Services password (pam_vas3) and Safeguard Authentication Services for Smart Cards (pam_vas_smartcard) PAM modules from the configuration.

After you run the vastool unconfigure pam command, you can selectively enable Safeguard Authentication Services password login for a service by running the vastool configure pam <service> command, as follows:

vastool smartcard configure pam gdm
vastool smartcard configure pam kde
vastool smartcard configure pam xdm
vastool smartcard configure pam login
vastool smartcard configure pam dtlogin etc.

NoteS:

This still allows you to log in as a local user account. To disable log in as a local user account, you must manually remove the pam_unix module.

You can enable the smartcard-only option for the pam_vas_smartcard module to display an error message if a Safeguard Authentication Services user attempts to log in without a card present. See Customizing PAM login prompts in the pam_vas_smartcard man page for more information.

pam_vas_smartcard options

The pam_vas_smartcard module provides a number of options for configuring the behavior of the Safeguard Authentication Services for Smart Cards. You can also use many of these options in the normal pam_vas3 module, as well. See the pam_vas_smartcard man page for more information about the available pam_vas_smartcard options.

Table 2: Smart Card-specific pam_vas_smartcard options
Option Function
show-token-status Display verbose information about smart card status when logging in.
smartcard-only Enforce smart card logins for Safeguard Authentication Services users. This displays an error if a Safeguard Authentication Services user attempts to log in without a card inserted.
ignore-non-vas-user Do not display an error message if a card is inserted which does not have a Unix-enabled user.
pin-required Always prompt for a PIN, otherwise query the PKCS#11 driver to determine whether one is required first.
prompt-style Display prompt information in a manner that may be more suitable for graphical PAM application.

Note that the prompt-style and show-token-status options are intended to modify the appearance of information presented by the PAM application, and may not display correctly with all PAM applications. One Identity recommends that you experiment with the prompt-style and show-token-status options to determine if these options are useful for a particular PAM application.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating