To disable smart card Login
vastool smartcard unconfigure pam <service>
where <service> is the name of the service (such as, gdm or kdm) for which you want to enable smart card login.
When you install Safeguard Authentication Services, most applications are configured to allow login to Active Directory with a password, or to a local user account.
To enable users to also log in with a smart card for a given service
Run the command:
vastool smartcard configure pam <service>
where <service> is the name of the service to enable for smart card login.
This configures either the /etc/pam.conf file or /etc/pam.d/<service> file depending on your operating system and existing PAM configuration.
After running the vastool smartcard configure pam gdm command, the GDM pam configuration on a Redhat Enterprise Linux 4.0 looks like this:
/etc/pam.d/gdm #%PAM-1.0 auth required pam_env.so auth [ignore=ignore success=done default=die] pam_vas_smartcard.so create_homedir auth required pam_stack.so service=system-auth auth required pam_nologin.so account [ignore=ignore success=done default=die] pam_vas_smartcard.so account required pam_stack.so service=system-auth password [ignore=ignore success=done default=die] pam_vas_smartcard.so password required pam_stack.so service=system-auth session required pam_vas_smartcard.so create_homedir session required pam_stack.so service=system-auth session optional pam_console.so
Note that when you joined the domain, it configures the pam_stack.so module for Safeguard Authentication Services password login. You can see the configuration in the /etc/pam.d/system-auth file:
/etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required /lib/security/$ISA/pam_env.so auth [ignore=ignore success=done default=die] pam_vas3.so create_homedir auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth required /lib/security/$ISA/pam_deny.so account [ignore=ignore success=done default=die] pam_vas3.so account required /lib/security/$ISA/pam_unix.so account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet account required /lib/security/$ISA/pam_permit.so password [ignore=ignore success=done default=die] pam_vas3.so password requisite /lib/security/$ISA/pam_cracklib.so retry=3 password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password required /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session required pam_vas3.so create_homedir session required /lib/security/$ISA/pam_unix.so
To configure an application to only allow smart card login you must first disable password-based login for that application. There are two ways to do this. You can either remove the pam_vas3-specific entries from the PAM configuration file or you can run the vastool unconfigure pam command.
The vastool unconfigure pam command disables Safeguard Authentication Services password login for all applications because it removes all existing Safeguard Authentication Services password (pam_vas3) and Safeguard Authentication Services for Smart Cards (pam_vas_smartcard) PAM modules from the configuration.
After you run the vastool unconfigure pam command, you can selectively enable Safeguard Authentication Services password login for a service by running the vastool configure pam <service> command, as follows:
vastool smartcard configure pam gdm vastool smartcard configure pam kde vastool smartcard configure pam xdm vastool smartcard configure pam login vastool smartcard configure pam dtlogin etc.
NoteS:
This still allows you to log in as a local user account. To disable log in as a local user account, you must manually remove the pam_unix module.
You can enable the smartcard-only option for the pam_vas_smartcard module to display an error message if a Safeguard Authentication Services user attempts to log in without a card present. See Customizing PAM login prompts in the pam_vas_smartcard man page for more information.
The pam_vas_smartcard module provides a number of options for configuring the behavior of the Safeguard Authentication Services for Smart Cards. You can also use many of these options in the normal pam_vas3 module, as well. See the pam_vas_smartcard man page for more information about the available pam_vas_smartcard options.
Option | Function |
---|---|
show-token-status | Display verbose information about smart card status when logging in. |
smartcard-only | Enforce smart card logins for Safeguard Authentication Services users. This displays an error if a Safeguard Authentication Services user attempts to log in without a card inserted. |
ignore-non-vas-user | Do not display an error message if a card is inserted which does not have a Unix-enabled user. |
pin-required | Always prompt for a PIN, otherwise query the PKCS#11 driver to determine whether one is required first. |
prompt-style | Display prompt information in a manner that may be more suitable for graphical PAM application. |
Note that the prompt-style and show-token-status options are intended to modify the appearance of information presented by the PAM application, and may not display correctly with all PAM applications. One Identity recommends that you experiment with the prompt-style and show-token-status options to determine if these options are useful for a particular PAM application.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Termini di utilizzo Privacy Cookie Preference Center