Chat now with support
Chat with Support

Safeguard Authentication Services 4.2 - Authentication Services for Smart Cards Administration Guide

One Identity Privileged Access Suite for Unix Introducing Authentication Services for Smart Cards Installing Authentication Services for Smart Cards Configuring Authentication Services for Smart Cards
Configuring the vendor’s PKCS#11 library Configuring the card slot for your PKCS#11 library Configuring PAM applications for smart card login Configuring certificates and CRLs Locking the screen saver upon card removal (macOS)
Testing Authentication Services for Smart Cards Troubleshooting

Disabling remote login

One Identity recommends that you disable remote login for XDM by disabling the X display manager control protocol (XDMCP).

Note: XDMCP is disabled by default.

To manually disable XDMCP

  1. Open the XDM configuration file for editing.

    This file is typically located at /etc/X11/xdm/xdm-config.

  2. Verify that the DisplayManager.requestPort property is set to 0, like this:

    DisplayManager.requestPort: 0

Configure console login

The /usr/bin/login program is a PAM application for performing login to the system. Typically /usr/bin/login is called by the getty program for login to the console. The following sections document how to configure and use console login with smart card authentication.

Configuring console login for smart card

To configure console login for smart card

  1. Run the following command:
    vastool smartcard configure pam login

Note: The login program always displays a login: prompt, which you cannot modify. Similarly, the getty program always displays a login: prompt, and passes the value it receives to the login program. Thus, the prompt-vassc-user option in the [pam_vas] section of vas.conf has no effect for the login program. However, the PIN: prompt may be changed by specifying a value for the prompt-vassc-user option in the [pam_vas] section of vas.conf.

A typical smart card-enabled console login looks similar to the following:

penguin.vintela.com login: matlock
PIN: ********

The login program can display additional information on standard output. Specify the prompt-style option of the pam_vas_smartcard module for additional prompting. However, it only displays additional prompting information for PIN prompts, as in the following example:

penguin.vintela.com login: matlock
Enter PIN for matlock@vintela.com
PIN: ********

Note that you can also specify the show-token-status option of the pam_vas_smartcard module if you want status information. For example:

Penguin.vintela.com login: matlock
Inspecting smart card …
PIN: ********
Authenticating …

Disabling remote login

Some remote login programs (such as, ftp or telnet) also use login the program. For this reason One Identity recommends that you disable remote login services if you have smart card login enabled for the console. Consult the administrator’s guide for your operating system for further details on disabling ftp or telnet.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating