Chat now with support

Live-Hilfe anfordern
Registrierung abschließen

Anmelden

Preisinformationen anfragen

Vertrieb kontaktieren

Safeguard Authentication Services 5.1.1 - Authentication Services for Smart Cards Administration Guide

Inhaltsnavigation

Privileged Access Suite for Unix

About this guide

Introducing Safeguard Authentication Services for Smart Cards

Features and benefits

Strong two-factor authentication for Unix Smart Card login integrated with Active Directory Integration with existing Unix applications

Supported platforms Supported cards and readers Safeguard Authentication Services for Smart Cards components

Plugin PAM module The vastool smartcard command line utility Vendor PKCS#11 drivers

Installing Safeguard Authentication Services for Smart Cards

Installing vendor smart card drivers

Logging in to Active Directory with your card

Installing Safeguard Authentication Services for Smart Cards software

Configuring Safeguard Authentication Services for Smart Cards

Configuring the vendor’s PKCS#11 library

Testing the PKCS#11 library for Safeguard Authentication Services for Smart Cards compatibility (optional) Configuring the vendor's PKCS#11 library using VASTOOL Configuring the vendor's PKCS#11 library by editing the configuration file Configuring the PKCS#11 library for 32-bit and 64-bit versions

Configuring the card slot for your PKCS#11 library

Configuring the card slot using VASTOOL Configuring the vendor's PKCS#11 slot by editing the configuration file

Configuring PAM applications for smart card login

Security issues when configuring smart card login Usability issues with PAM applications Enabling smart card login for selected services

Enabling smart card login Disabling smart card login

Configuring applications for smart card and password login Configuring applications for smart card login pam_vas_smartcard options Configure Gnome Display Manager (GDM)

Configuring GDM for smart card Disable remote login

Editing the GDM configuration file manually Editing the GDM configuration file with the graphical application

Using GDM with a smart card

Configure K Display Manager (KDM)

Configuring KDM for smart card Disabling remote login Using KDM with a smart card

Configure X Display Manager (XDM)

Configure XDM for smart card Disabling remote login

Configure console login

Configuring console login for smart card Disabling remote login Using console login with a smart card

Configuring certificates and CRLs

Public Key Infrastructure Certificates and CRLs

How Safeguard Authentication Services for Smart Cards uses certificates and CRLs Map certificate to user (implicit and explicit) Bootstrapping trusted certificates Automatic CRL retrieval Options for controlling certificate and CRL processing Managing Certificates and CRLs

Update certificates manually Force an update of certificates Disable bootstrap and manage certificates and CRLs manually

Locking the screen saver upon card removal (macOS)

Testing Safeguard Authentication Services for Smart Cards

Testing general configuration and login using smart card Testing the configuration

Test the PKCS#11 library Test the smart card is initialized correctly Test the smart card user Test user log in

Troubleshooting

Steps to diagnose problems

Check the smart card reader Check the PKCS#11 library Check the card Check login Enable debugging for smart card login with PAM Enable debugging for the Safeguard Authentication Services daemon Enable debugging for the PKCS#11 library

Troubleshooting vastool errors

vastool ERROR: no PKCS#11 library specified in vas.conf vastool ERROR: Could not get symbol 'C_GetFunctionList' vastool ERROR: invalid ELF header vastool ERROR: cannot open shared object file vastool ERROR: smart card is not present in slot vastool WARNING: "Smart card user X is not unix enabled" issue

Troubleshooting PAM or "vastool smartcard test login" errors

Login fails when the network connectivity is down Login fails when the system's internal clock is not synchronized Login fails when the user account is disabled Login fails when the user's certificate is not authorized Troubleshooting "KDC has no support for padata type" issue Troubleshooting "Cannot contact any KDC for requested realm" issue

Troubleshooting log errors

Log shows "clock skew problems" Log shows "server policy does not allow them on" or "account is expired" Log shows "Failed authentication attempt: cannot verify certificate"

Troubleshooting "Client not trusted" issue Troubleshooting certificate lookups

Editing the GDM configuration file with the graphical application

Configuring Safeguard Authentication Services for Smart Cards > Configuring PAM applications for smart card login > Configure Gnome Display Manager (GDM) > Editing the GDM configuration file with the graphical application

GDM includes a graphical application that you can use to configure GDM. The following steps document how to disable remote login with this application:

To disable remote login

Run /usr/bin/gdmsetup.
Click the XDMCP tab.
Verify that the Enabled XDMCP is not selected.

Note: Whether modifying the GDM configuration manually or by using /usr/bin/gdmsetup, you must restart GDM.

Using GDM with a smart card

Configuring Safeguard Authentication Services for Smart Cards > Configuring PAM applications for smart card login > Configure Gnome Display Manager (GDM) > Using GDM with a smart card

To perform smart card login by means of Gnome Display Manager (GDM)

Insert your smart card.
Enter your username or UPN at the Username: prompt, if required.

Note: GDM permits a null entry. An unspecified username allows the pam_vas_smartcard module to obtain the username from the smart card itself.
Enter your PIN at the Password: prompt.
Click the Login button.

Configure K Display Manager (KDM)

Configuring Safeguard Authentication Services for Smart Cards > Configuring PAM applications for smart card login > Configure K Display Manager (KDM)

The K Display Manager (KDM) is a PAM application providing graphical login. The following sections document how to configure and use KDM with smart card authentication.

Configuring KDM for smart card

Disabling remote login

Using KDM with a smart card

Configuring KDM for smart card

Configuring Safeguard Authentication Services for Smart Cards > Configuring PAM applications for smart card login > Configure K Display Manager (KDM) > Configuring KDM for smart card

To configure KDM for smart card

Run the following command:
```
vastool smartcard configure pam kde
```

Unlike GDM, KDM presents both a Username: and a Password: prompt simultaneously to the user. You can not change these prompts. The prompt-vassc-user and prompt-vassc-pin options in the [pam_vas] section of vas.conf have no effect.

Note that KDM displays additional information from the Safeguard Authentication Services PAM module in a pop-up window, which only disappears when the user clicks OK. Thus, the prompt-style and show-token-status options are not recommended for KDM.

Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen

© 2024 One Identity LLC. ALL RIGHTS RESERVED. Nutzungsbedingungen Datenschutz Cookie Preference Center