One Identity recommends that you disable remote login for XDM by disabling the X display manager control protocol (XDMCP).
Note: XDMCP is disabled by default.
To manually disable XDMCP
- Open the XDM configuration file for editing.
This file is typically located at /etc/X11/xdm/xdm-config.
- Verify that the DisplayManager.requestPort property is set to 0, like this:
DisplayManager.requestPort: 0
The /usr/bin/login program is a PAM application for performing login to the system. Typically /usr/bin/login is called by the getty program for login to the console. The following sections document how to configure and use console login with smart card authentication.
To configure console login for smart card
- Run the following command:
vastool smartcard configure pam login
Note: The login program always displays a login: prompt, which you cannot modify. Similarly, the getty program always displays a login: prompt, and passes the value it receives to the login program. Thus, the prompt-vassc-user option in the [pam_vas] section of vas.conf has no effect for the login program. However, the PIN: prompt may be changed by specifying a value for the prompt-vassc-user option in the [pam_vas] section of vas.conf.
A typical smart card-enabled console login looks similar to the following:
penguin.vintela.com login: matlock
PIN: ********
The login program can display additional information on standard output. Specify the prompt-style option of the pam_vas_smartcard module for additional prompting. However, it only displays additional prompting information for PIN prompts, as in the following example:
penguin.vintela.com login: matlock
Enter PIN for matlock@vintela.com
PIN: ********
Note that you can also specify the show-token-status option of the pam_vas_smartcard module if you want status information. For example:
Penguin.vintela.com login: matlock
Inspecting smart card …
PIN: ********
Authenticating …
Some remote login programs (such as, ftp or telnet) also use login the program. For this reason One Identity recommends that you disable remote login services if you have smart card login enabled for the console. Consult the administrator’s guide for your operating system for further details on disabling ftp or telnet.