Chat now with support
Chat with Support

Safeguard Authentication Services 4.1.5 - Authentication Services for Smart Cards Administration Guide

One Identity Privileged Access Suite for Unix Introducing Authentication Services for Smart Cards Installing Authentication Services for Smart Cards Configuring Authentication Services for Smart Cards
Configuring the vendor’s PKCS#11 library Configuring the card slot for your PKCS#11 library Configuring PAM applications for smart card login Configuring certificates and CRLs
Testing Authentication Services for Smart Cards Troubleshooting

Configuring applications for smart card login

To configure an application to only allow smart card login you must first disable password-based login for that application. There are two ways to do this. You can either remove the pam_vas3-specific entries from the PAM configuration file; or you can run the vastool unconfigure pam command.

The vastool unconfigure pam command disables Authentication Services password log in for all applications because it removes all existing Authentication Services password (pam_vas3) and Authentication Services for Smart Cards (pam_vas_smartcard) PAM modules from the configuration.

After you run the vastool unconfigure pam command, you can selectively enable Authentication Services password log in for a service by running the vastool configure pam <service> command, as follows:

vastool smartcard configure pam gdm
vastool smartcard configure pam kde
vastool smartcard configure pam xdm
vastool smartcard configure pam login
vastool smartcard configure pam dtlogin etc.

NoteS:

This still allows you to log in as a local user account. To disable log in as a local user account, you must manually remove the pam_unix module.

You can enable the smartcard-only option for the pam_vas_smartcard module to display an error message if a Authentication Services user attempts to log in without a card present. See "Customizing PAM login prompts" section in the pam_vas_smartcard man page for more information.

pam_vas_smartcard options

The pam_vas_smartcard module provides a number of options for configuring the behavior of the Authentication Services for Smart Cards. You can also use many of these options in the normal pam_vas3 module, as well. (See the pam_vas_smartcard man page for more information about the available pam_vas_smartcard options.)

Table 2: Smart Card-specific pam_vas_smartcard options
Option Function
show-token-status Display verbose information about smart card status when logging in.
smartcard-only Enforce smart card logins for Authentication Services users. This displays an error if a Authentication Services user attempts to log in without a card inserted.
ignore-non-vas-user Do not display an error message if a card is inserted which does not have a Unix-enabled user.
pin-required Always prompt for a PIN, otherwise query the PKCS#11 driver to determine whether one is required first.
prompt-style Displays prompt information in a manner that may be more suitable for graphical PAM application.

Note that the prompt-style and show-token-status options are intended to modify the appearance of information presented by the PAM application, and may not display correctly with all PAM applications. One Identity recommends that you experiment with the prompt-style and show-token-status options to determine if these options are useful for a particular PAM application.

Configuring GDM

The Gnome Display Manager (GDM) is a PAM application providing graphical login. The following sections document how to configure and use GDM with smart card authentication.

Configure GDM for smart card

To configure GDM for smart card

  1. Run the following command:
    vastool smartcard configure pam gdm

Typically, GDM initially displays an Insert card: prompt if you have specified the smart card-only option; otherwise it displays a Insert card or enter username: prompt. Once you have entered the username, it displays a PIN: prompt.

Note that you can select themes for GDM. The theme that you select may not display prompts or additional information from the pam_vas_smartcard module, or it may display both prompts and additional information.

You can modify how the prompts display in one of these ways:

  • Specify new prompts using the prompt-vassc-user and prompt-vassc-pin options in the [pam_vas] section of vas.conf;
  • Specify the prompt-style=text option of the pam_vas_smartcard module.

    This displays the prompts in that section of the GDM theme that display PAM messages, while not displaying anything in that section of the theme that display PAM prompts;

  • Specify the prompt-style=both option of the pam_vas_smartcard module.

    This displays the prompts in that section of the GDM theme that display PAM messages, while displaying Username: and PIN: in that section of the theme that display PAM prompts.

Only choose the prompt-style and show-token-status options if the theme supports the display of PAM messages. It may be necessary to choose the prompt-style=text or prompt-style=both options if the theme does not support the display of PAM prompts, or if the prompts appear to be truncated.

If the theme displays PAM messages and you want token status messages to display, specify the show-token-status=clear option.

Note that some themes or versions of GDM may not display PAM messages correctly, or may fail to erase previous PAM messages. You must carefully consider the use of the prompt-style and show-token-status=clear options and only choose them if the overall display is suitable. One Identity recommends that you use a simple theme that displays PAM prompts without truncation.

Related Documents