Chat now with support
Chat with Support

Safeguard Authentication Services 4.1.5 - Authentication Services for Smart Cards Administration Guide

One Identity Privileged Access Suite for Unix Introducing Authentication Services for Smart Cards Installing Authentication Services for Smart Cards Configuring Authentication Services for Smart Cards
Configuring the vendor’s PKCS#11 library Configuring the card slot for your PKCS#11 library Configuring PAM applications for smart card login Configuring certificates and CRLs
Testing Authentication Services for Smart Cards Troubleshooting

Enable smart card login

To enable smart card login

  1. Log in and open a root shell.
  2. Run the command: 
    vastool smartcard configure pam <service>

    where service is the name of the service (such as, gdm or kdm) for which you want to enable smart card log in.

  3. Depending on the service you may need to restart to log in with a smart card.

Disable smart card login

To disable smart card Login

  1. Log in and open a root shell.
  2. Run the command: 
    vastool smartcard unconfigure pam <service>

    where service is the name of the service (such as, gdm/kdm) for which you want to enable smart card login.

Configuring applications for smart card and password login

When you install Authentication Services, most applications are configured to allow login to Active Directory with a password, or to a local user account. To enable users to also log in with a smart card for a given service, run the following command:

vastool smartcard configure pam <service>

where service is the name of the service to enable for smart card login.

This configures either the /etc/pam.conf file or /etc/pam.d/<service> file depending on your operating system and existing PAM configuration.

Example: Application configured for Redhat Enterprise Linux 4.0 login

After running the vastool smartcard configure pam gdm command, the GDM pam configuration on a Redhat Enterprise Linux 4.0 looks like this:

/etc/pam.d/gdm
#%PAM-1.0
auth required pam_env.so
auth [ignore=ignore success=done default=die] pam_vas_smartcard.so
create_homedir
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account [ignore=ignore success=done default=die] pam_vas_smartcard.so
account required pam_stack.so service=system-auth
password [ignore=ignore success=done default=die] pam_vas_smartcard.so
password required pam_stack.so service=system-auth
session required pam_vas_smartcard.so create_homedir
session required pam_stack.so service=system-auth
session optional pam_console.so

Note that when you joined the domain, it configures the pam_stack.so module for Authentication Services password login. You can see the configuration in the /etc/pam.d/system-auth file:

/etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth [ignore=ignore success=done default=die] pam_vas3.so create_homedir
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth required /lib/security/$ISA/pam_deny.so
account [ignore=ignore success=done default=die] pam_vas3.so
account required /lib/security/$ISA/pam_unix.so
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account required /lib/security/$ISA/pam_permit.so
password [ignore=ignore success=done default=die] pam_vas3.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required pam_vas3.so create_homedir
session required /lib/security/$ISA/pam_unix.so
Related Documents