One Identity Privileged Access Suite for Unix
Introducing Authentication Services for Smart Cards
Authentication Services for Smart Cards features and benefits
Installing Authentication Services for Smart Cards
Configuring Authentication Services for Smart Cards
Strong two-factor authentication for Unix
Smart Card login integrated with Active Directory
Integration with existing Unix applications
Supported platforms
Supported cards and readers
Authentication Services for Smart Cards components
Configuring the vendor’s PKCS#11 library
Testing Authentication Services for Smart Cards
Troubleshooting
Testing the PKCS#11 library for Authentication Services for Smart Cards compatibility (optional)
Configuring the vendor's PKCS#11 library using VASTOOL
Configuring the vendor's PKCS#11 library by editing the configuration file
Configuring the PKCS#11 library for 32-bit and 64-bit versions
Configuring the card slot for your PKCS#11 library
Configuring the card slot using VASTOOL
Configuring the vendor's PKCS#11 slot by editing the configuration file
Configuring PAM applications for smart card login
Security issues when configuring smart card login
Usability issues with PAM applications
Enabling smart card login for selected services
Configuring applications for smart card and password login
Configuring applications for smart card login
pam_vas_smartcard options
Configuring GDM
Configuring certificates and CRLs
Configure GDM for smart card
Disable remote login
Configuring KDM
Configuring XDM
Configuring console login
Edit the GDM configuration file manually
Edit the GDM configuration file With the graphical application
Use GDM with a smart card
Steps to diagnose problems
Check the smart card reader
Check the PKCS#11 library
Check the card
Check login
Enable debug for smart card login with PAM
Enable debug for the Authentication Services daemon
Troubleshooting vastool errors
vastool ERROR: no PKCS#11 library specified in vas.conf
vastool ERROR: Could not get symbol 'C_GetFunctionList'
vastool ERROR: invalid ELF header
vastool ERROR: cannot open shared object file
vastool ERROR: smart card is not present in slot
vastool WARNING: "Smart card user X is not unix enabled" Issue
Troubleshooting PAM or "vastool smartcard test login" errors
Login fails when the network connectivity is down
Login fails when the system's internal clock is not synchronized
Login fails when the user account is disabled
Login fails when the user's certificate is not authorized
Troubleshooting "KDC has no support for padata type" issue
Troubleshooting "Cannot contact any KDC for requested realm" issue
Troubleshooting log errors
Log shows "clock skew problems"
Log shows "server policy does not allow them on" or "account is expired"
Log shows "Failed authentication attempt: cannot verify certificate"
Troubleshooting "Client not trusted" issue
Troubleshooting certificate lookups
Disable remote login
Configuring Authentication Services for Smart Cards > Configuring PAM applications for smart card login > Configuring GDM > Disabling Remote Login
One Identity recommends that you disable remote login for GDM by disabling the X display manager control protocol (XDMCP). XDMCP is disabled by default; however, you can manually disable XDMCP.
Edit the GDM configuration file manually
Configuring Authentication Services for Smart Cards > Configuring PAM applications for smart card login > Configuring GDM > Edit the GDM configuration file manually
To edit the GDM Configuration file manually
- Open the GDM configuration file.
This file is typically located at /etc/X11/gdm/gdm.conf, however "local" settings may take precedence. You can find the local settings in /etc/X11/gdm/factory-gdm.conf file.
- Look for the [XDMCP] section and verify that the Enable property is either not present, commented out, or is set to false, as follows:
[XDMCP] Enable=false.
Note: Whether modifying the GDM configuration manually or by using the graphical user interface, you must restart GDM.
Edit the GDM configuration file With the graphical application
Configuring Authentication Services for Smart Cards > Configuring PAM applications for smart card login > Configuring GDM > Edit the GDM configuration file With the graphical application
GDM includes a graphical application that you can use to configure GDM. The following steps document how to disable remote log in with this application:
To disable remote login
- Run /usr/bin/gdmsetup.
- Click the XDMCP tab.
- Verify that the Enabled XDMCP is not selected.
|
|
Note: Whether modifying the GDM configuration manually or by using /usr/bin/gdmsetup, you must restart GDM. |
Use GDM with a smart card
Configuring Authentication Services for Smart Cards > Configuring PAM applications for smart card login > Configuring GDM > Use GDM with a smart card
To perform smart card login by means of Gnome Display Manager (GDM)
- Insert your smart card.
- Enter your username or UPN at the Username: prompt, if required.
Note: GDM permits a null entry. An unspecified username allows the pam_vas_smartcard module to obtain the username from the smart card itself.
- Enter your PIN at the Password: prompt.
- Click the Login button.