Chat now with support
Chat with Support

Safeguard Authentication Services 4.1.5 - Authentication Services for Smart Cards Administration Guide

One Identity Privileged Access Suite for Unix Introducing Authentication Services for Smart Cards Installing Authentication Services for Smart Cards Configuring Authentication Services for Smart Cards
Configuring the vendor’s PKCS#11 library Configuring the card slot for your PKCS#11 library Configuring PAM applications for smart card login Configuring certificates and CRLs
Testing Authentication Services for Smart Cards Troubleshooting

Configure console login for smart card

To configure console login for smart card

  1. Run the following command:
    vastool smartcard configure pam login

Note: The login program always displays a login: prompt, which you cannot modify. Similarly, the getty program always displays a login: prompt, and passes the value it receives to the login program. Thus, the prompt-vassc-user option in the [pam_vas] section of vas.conf has no effect for the login program. However, the PIN prompt may be changed by specifying a value for the prompt-vassc-user option in the [pam_vas] section of vas.conf.

A typical smart card-enabled console login looks similar to the following:

penguin.vintela.com login: matlock
PIN: ********

The login program can display additional information on standard output. Specify the prompt-style option of the pam_vas_smartcard module for additional prompting. However, it only displays additional prompting information for PIN prompts, as in the following example:

penguin.vintela.com login: matlock
Enter PIN for matlock@vintela.com
PIN: ********

Note that you can also specify the show-token-status option of the pam_vas_smartcard module if you want status information. For example:

Penguin.vintela.com login: matlock
Inspecting smart card …
PIN: ********
Authenticating …

Disable remote login

Some remote login programs (such as, ftp or telnet) also use login the program. For this reason One Identity recommends that you disable remote login services if you have smart card login enabled for the console. Consult the administrator’s guide for your operating system for further details on disabling ftp or telnet.

Use console login with a smart card

To perform smart card login by means of the console

  1. Insert your smart card.

    The getty program prompts for a login.

  2. Enter your username or UPN at the Username: prompt.

    You must enter the username or UPN that is on the smart card.

  3. Enter your PIN at the Password: prompt.
  4. Click the Login button.

Configuring certificates and CRLs

Because Authentication Services for Smart Cards uses Public Key cryptography, it must also obtain and manage Certificates and CRLs. This section includes background information on Public Key Infrastructure components, describes how these are used in Authentication Services for Smart Cards, and demonstrates how to manage certificates and CRLs for use when authenticating to Active Directory.

Related Documents