To enable smart card login
vastool smartcard configure pam <service>
where service is the name of the service (such as, gdm or kdm) for which you want to enable smart card log in.
To disable smart card Login
vastool smartcard unconfigure pam <service>
where service is the name of the service (such as, gdm/kdm) for which you want to enable smart card login.
When you install Authentication Services, most applications are configured to allow login to Active Directory with a password, or to a local user account. To enable users to also log in with a smart card for a given service, run the following command:
vastool smartcard configure pam <service>
where service is the name of the service to enable for smart card login.
This configures either the /etc/pam.conf file or /etc/pam.d/<service> file depending on your operating system and existing PAM configuration.
After running the vastool smartcard configure pam gdm command, the GDM pam configuration on a Redhat Enterprise Linux 4.0 looks like this:
/etc/pam.d/gdm #%PAM-1.0 auth required pam_env.so auth [ignore=ignore success=done default=die] pam_vas_smartcard.so create_homedir auth required pam_stack.so service=system-auth auth required pam_nologin.so account [ignore=ignore success=done default=die] pam_vas_smartcard.so account required pam_stack.so service=system-auth password [ignore=ignore success=done default=die] pam_vas_smartcard.so password required pam_stack.so service=system-auth session required pam_vas_smartcard.so create_homedir session required pam_stack.so service=system-auth session optional pam_console.so
Note that when you joined the domain, it configures the pam_stack.so module for Authentication Services password login. You can see the configuration in the /etc/pam.d/system-auth file:
/etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required /lib/security/$ISA/pam_env.so auth [ignore=ignore success=done default=die] pam_vas3.so create_homedir auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth required /lib/security/$ISA/pam_deny.so account [ignore=ignore success=done default=die] pam_vas3.so account required /lib/security/$ISA/pam_unix.so account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet account required /lib/security/$ISA/pam_permit.so password [ignore=ignore success=done default=die] pam_vas3.so password requisite /lib/security/$ISA/pam_cracklib.so retry=3 password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password required /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session required pam_vas3.so create_homedir session required /lib/security/$ISA/pam_unix.so
© 2023 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy