To disable smart card Login
-
Log in and open a root shell.
-
Run the following command:
vastool smartcard unconfigure pam <service>
where <service> is the name of the service (such as, gdm or kdm) for which you want to enable smart card login.
When you install Safeguard Authentication Services, most applications are configured to allow login to Active Directory with a password, or to a local user account.
To enable users to also log in with a smart card for a given service
-
Log in and open a root shell.
-
Run the following command:
vastool smartcard configure pam <service>
where <service> is the name of the service to enable for smart card login.
This configures either the /etc/pam.conf file or /etc/pam.d/<service> file depending on your operating system and existing PAM configuration.
Example: Application configured for Redhat Enterprise Linux 5.0 login
After running the vastool smartcard configure pam gdm command, the GDM pam configuration on a Redhat Enterprise Linux 4.0 looks like this:
/etc/pam.d/gdm
#%PAM-1.0
auth required pam_env.so
auth [ignore=ignore success=done default=die] pam_vas_smartcard.so
create_homedir
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account [ignore=ignore success=done default=die] pam_vas_smartcard.so
account required pam_stack.so service=system-auth
password [ignore=ignore success=done default=die] pam_vas_smartcard.so
password required pam_stack.so service=system-auth
session required pam_vas_smartcard.so create_homedir
session required pam_stack.so service=system-auth
session optional pam_console.so
NOTE: When you join the domain, it configures the pam_stack.so module for Safeguard Authentication Services password login. You can see the configuration in the /etc/pam.d/system-auth file:
/etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth [ignore=ignore success=done default=die] pam_vas3.so create_homedir
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth required /lib/security/$ISA/pam_deny.so
account [ignore=ignore success=done default=die] pam_vas3.so
account required /lib/security/$ISA/pam_unix.so
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account required /lib/security/$ISA/pam_permit.so
password [ignore=ignore success=done default=die] pam_vas3.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required pam_vas3.so create_homedir
session required /lib/security/$ISA/pam_unix.so
To configure an application to only allow smart card login you must first disable password-based login for that application. There are two ways to do this. You can either remove the pam_vas3-specific entries from the PAM configuration file or you can run the vastool unconfigure pam command.
The vastool unconfigure pam command disables Safeguard Authentication Services password login for all applications because it removes all existing Safeguard Authentication Services password (pam_vas3) and Safeguard Authentication Services for Smart Cards (pam_vas_smartcard) PAM modules from the configuration.
After you run the vastool unconfigure pam command, you can selectively enable Safeguard Authentication Services password login for a service by running the vastool configure pam <service> command, as follows:
vastool smartcard configure pam gdm
vastool smartcard configure pam kde
vastool smartcard configure pam xdm
vastool smartcard configure pam login
vastool smartcard configure pam dtlogin etc.
NOTE: This still allows you to log in as a local user account. To disable log in as a local user account, you must manually remove the pam_unix module.
You can enable the smartcard-only option for the pam_vas_smartcard module to display an error message if a Safeguard Authentication Services user attempts to log in without a card present. For more information, see Customizing PAM login prompts in the pam_vas_smartcard man page.
The pam_vas_smartcard module provides a number of options for configuring the behavior of the Safeguard Authentication Services for Smart Cards. You can also use many of these options in the normal pam_vas3 module, as well. For more information about the available pam_vas_smartcard options, see the pam_vas_smartcard man page .
Table 2: Smart Card-specific pam_vas_smartcard options
show-token-status |
Display verbose information about smart card status when logging in. |
smartcard-only |
Enforce smart card logins for Safeguard Authentication Services users. This displays an error if a Safeguard Authentication Services user attempts to log in without a card inserted. |
ignore-non-vas-user |
Do not display an error message if a card is inserted which does not have a Unix-enabled user. |
pin-required |
Always prompt for a PIN, otherwise query the PKCS#11 driver to determine whether one is required first. |
prompt-style |
Display prompt information in a manner that may be more suitable for graphical PAM application. |
NOTE: The prompt-style and show-token-status options are intended to modify the appearance of information presented by the PAM application, and may not display correctly with all PAM applications. One Identity recommends that you experiment with the prompt-style and show-token-status options to determine if these options are useful for a particular PAM application.