To configure console login for smart card
vastool smartcard configure pam login
Note: The login program always displays a login: prompt, which you cannot modify. Similarly, the getty program always displays a login: prompt, and passes the value it receives to the login program. Thus, the prompt-vassc-user option in the [pam_vas] section of vas.conf has no effect for the login program. However, the PIN prompt may be changed by specifying a value for the prompt-vassc-user option in the [pam_vas] section of vas.conf.
A typical smart card-enabled console login looks similar to the following:
penguin.vintela.com login: matlock PIN: ********
The login program can display additional information on standard output. Specify the prompt-style option of the pam_vas_smartcard module for additional prompting. However, it only displays additional prompting information for PIN prompts, as in the following example:
penguin.vintela.com login: matlock Enter PIN for email@example.com PIN: ********
Note that you can also specify the show-token-status option of the pam_vas_smartcard module if you want status information. For example:
Penguin.vintela.com login: matlock Inspecting smart card … PIN: ******** Authenticating …
Some remote login programs (such as, ftp or telnet) also use login the program. For this reason One Identity recommends that you disable remote login services if you have smart card login enabled for the console. Consult the administrator’s guide for your operating system for further details on disabling ftp or telnet.
To perform smart card login by means of the console
The getty program prompts for a login.
You must enter the username or UPN that is on the smart card.
Because Authentication Services for Smart Cards uses Public Key cryptography, it must also obtain and manage Certificates and CRLs. This section includes background information on Public Key Infrastructure components, describes how these are used in Authentication Services for Smart Cards, and demonstrates how to manage certificates and CRLs for use when authenticating to Active Directory.