지금 지원 담당자와 채팅
지원 담당자와 채팅

Safeguard Authentication Services 5.1 - Authentication Services for Smart Cards Administration Guide

Privileged Access Suite for Unix Introducing Safeguard Authentication Services for Smart Cards Installing Safeguard Authentication Services for Smart Cards Configuring Safeguard Authentication Services for Smart Cards
Configuring the vendor’s PKCS#11 library Configuring the card slot for your PKCS#11 library Configuring PAM applications for smart card login Configuring certificates and CRLs Locking the screen saver upon card removal (macOS)
Testing Safeguard Authentication Services for Smart Cards Troubleshooting

Configure Gnome Display Manager (GDM)

The Gnome Display Manager (GDM) is a PAM application providing graphical login. The following sections document how to configure and use GDM with smart card authentication.

Configuring GDM for smart card

To configure PAM

  1. Run the following command:
    vastool smartcard configure pam gdm

Typically, GDM initially displays an Insert card: prompt if you have specified the smart card-only option; otherwise it displays a Insert card or enter username: prompt. Once you have entered the username, it displays a PIN: prompt.

Note that you can select themes for GDM. The theme that you select may not display prompts or additional information from the pam_vas_smartcard module, or it may display both prompts and additional information.

You can modify how the prompts display in one of these ways:

  • Specify new prompts using the prompt-vassc-user and prompt-vassc-pin options in the [pam_vas] section of vas.conf;
  • Specify the prompt-style=text option of the pam_vas_smartcard module.

    This displays the prompts in that section of the GDM theme that display PAM messages, while not displaying anything in that section of the theme that display PAM prompts;

  • Specify the prompt-style=both option of the pam_vas_smartcard module.

    This displays the prompts in that section of the GDM theme that display PAM messages, while displaying Username: and PIN: in that section of the theme that display PAM prompts.

Only choose the prompt-style and show-token-status options if the theme supports the display of PAM messages. It may be necessary to choose the prompt-style=text or prompt-style=both options if the theme does not support the display of PAM prompts, or if the prompts appear to be truncated.

If the theme displays PAM messages and you want token status messages to display, specify the show-token-status=clear option.

Note that some themes or versions of GDM may not display PAM messages correctly, or may fail to erase previous PAM messages. You must carefully consider the use of the prompt-style and show-token-status=clear options and only choose them if the overall display is suitable. One Identity recommends that you use a simple theme that displays PAM prompts without truncation.

Register PKCS#11 Module in NSSDB

For many readers and cards, the default PKCS#11 library contains the ciphers and mechanisms needed to work with those cards. However, in the case that the default library does not work with the readers or cards, the NSSDB needs to be updated so the GDM greeter can recognize when a card is inserted. For example, to remove CoolKey and insert OpenSC into NSSDB, one could run the following commands:

  • /bin/modutil -delete "CoolKey PKCS #11 Module" -dbdir sql:/etc/pki/nssdb/
  • /bin/modutil -dbdir sql:/etc/pki/nssdb -add "OpenSC PKCS#11 Library" -libfile /usr/lib64/opensc-pkcs11.so

For more information on how to use modutil, see man modutil or visit https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/tools/NSS_Tools_modutil.

Disable remote login

One Identity recommends that you disable remote login for GDM by disabling the X display manager control protocol (XDMCP). XDMCP is disabled by default; however, you can manually disable XDMCP.

Editing the GDM configuration file manually

To edit the GDM Configuration file manually

  1. Open the GDM configuration file.

    This file is typically located at /etc/X11/gdm/gdm.conf, however "local" settings may take precedence. You can find the local settings in /etc/X11/gdm/factory-gdm.conf file.

  2. Look for the [XDMCP] section and verify that the Enable property is either not present, commented out, or is set to false, as follows:
    [XDMCP]
    Enable=false.

    Note: Whether modifying the GDM configuration manually or by using the graphical user interface, you must restart GDM.

관련 문서

The document was helpful.

평가 결과 선택

I easily found the information I needed.

평가 결과 선택