Configuring PAM applications for smart card login
To integrate Authentication Services for Smart Cards with existing applications you need to configure PAM. This section describes in detail how to configure the pam_vas_smartcard module for different scenarios, and gives recommendations for which options works well with some common login applications. The following topics are discussed:
- Security issues when configuring smart card login
- Usability issues when configuring smart card login
- Configuring PAM for smart card only login
- Configuring PAM for smart card and password login
- Configuring GDM
- Configuring KDM
- Configuring XDM
- Configuring Console Login
- Configuring Dtlogin
- Configuring XScreenSaver for Solaris Common Desktop Environment (CDE)
You can find background information on PAM and configuring Authentication Services PAM modules in the Authentication Services Administrator’s Guide, located in the docs directory of the installation media.
Security issues when configuring smart card login
One of the properties that makes smart card login more secure is that it requires the physical presence of a card or token to authenticate. To secure smart card login you must limit card access to users who are physically present at the terminal and ensure that remote users cannot access cards.
You enable smart card login by configuring the Authentication Services PAM module pam_vas_smartcard for a given application. When the application requires authentication, it makes calls to this module which in turn communicates with the smart card and prompts the user for his PIN.
Because you can use PAM to authenticate both remote and local users, never configure smart card login for remote login applications such as SSH, telnet or ftp. The pam_vas_smartcard module is unable to determine whether a login is from a local or remote user.
Therefore, if you enable pam_vas_smartcard on a remote login service, an attacker may be able to connect to these services and either attempt to guess the PIN of the locally inserted card, or cause denial of service by locking out the card after several attempts.
A further complication is that you can use some applications for both local and remote login (for example XDM or /bin/login).
For this reason it is not possible to enable the pam_vas_smartcard module for all applications, as you can with the normal Authentication Services PAM module. You must decide which services to enable using the vastool smartcard configure pam command and enable these one by one.
For more information on how to secure login to these applications for local users only, see the appropriate sections below.
|
|
Note: It is possible for a smart card user at a local terminal to log into a remote service using the local smart card. To do so you need to use versions of the remote client and server that have been Kerberized. One Identity provides a number of ready-packaged versions of such clients and servers for services such as SSH, telnet and ftp on its Resource Central website which will support Authentication Services for Smart Cards. For more details see Resource Central. |
Usability issues with PAM applications
While PAM provides a mechanism for integrating custom authentication mechanisms, many applications are designed only to support username- and password-based logins.
In general, most applications will work with Authentication Services for Smart Cards in the following way:
- The application displays either a "Username: " or "Insert Card or enter username" prompt.
- The user enters the username that is on their card. This may be their Unix login name, or their full UPN.
- The application displays either a "PIN" or "Password" prompt.
- The user enters his PIN.
Depending on how the pam_vas_smartcard module is configured, it is possible to either login using the smart card or a local user (such as root). It is also possible to configure PAM so that a user can log in with either a smart card or with a password.
Enabling smart card login for selected services
Once you have installed and configured Authentication Services correctly, you must enable smart card login. Authentication Services for Smart Cards provides a PAM module pam_vas_smartcard.so that allows integration of Authentication Services for Smart Cards with PAM-aware applications. For more information on options that you can use with the Authentication Services for Smart Cards module, see the pam_vas_smartcard(8) man page.
|
|
Note: Unlike Authentication Services password login, smart card login is not enabled for all PAM services by default. Because some services such as SSH and telnet use PAM to authenticate users over a network, enabling smart card login for these services is undesirable. Enabling would allow an attacker to attempt to brute force the card PIN or exceed the maximum login attempts for the card causing the card to be locked. For this reason only enable PAM for services which are used for local login (such as, GDM, KDM, and dtlogin). See Security issues when configuring smart card login for more information. |