One Identity Privileged Access Suite for Unix
Introducing Authentication Services for Smart Cards
Authentication Services for Smart Cards features and benefits
Installing Authentication Services for Smart Cards
Configuring Authentication Services for Smart Cards
Strong two-factor authentication for Unix
Smart Card login integrated with Active Directory
Integration with existing Unix applications
Supported platforms
Supported cards and readers
Authentication Services for Smart Cards components
Configuring the vendor’s PKCS#11 library
Testing Authentication Services for Smart Cards
Troubleshooting
Testing the PKCS#11 library for Authentication Services for Smart Cards compatibility (optional)
Configuring the vendor's PKCS#11 library using VASTOOL
Configuring the vendor's PKCS#11 library by editing the configuration file
Configuring the PKCS#11 library for 32-bit and 64-bit versions
Configuring the card slot for your PKCS#11 library
Configuring the card slot using VASTOOL
Configuring the vendor's PKCS#11 slot by editing the configuration file
Configuring PAM applications for smart card login
Security issues when configuring smart card login
Usability issues with PAM applications
Enabling smart card login for selected services
Configuring applications for smart card and password login
Configuring applications for smart card login
pam_vas_smartcard options
Configure Gnome Display Manager (GDM)
Configuring certificates and CRLs
Configuring GDM for smart card
Disable remote login
Configure K Display Manager (KDM)
Configure X Display Manager (XDM)
Configure console login
Editing the GDM configuration file manually
Editing the GDM configuration file With the graphical application
Using GDM with a smart card
Concepts
How Authentication Services for Smart Cards uses certificates and CRLs
Bootstrapping trusted certificates
Automatic CRL retrieval
Options for controlling certificate and CRL processing
Managing certificates and CRLs
Locking the screen saver upon card removal (macOS)
Steps to diagnose problems
Check the smart card reader
Check the PKCS#11 library
Check the card
Check login
Enable debugging for smart card login with PAM
Enable debugging for the Authentication Services daemon
Enable debugging for the PKCS#11 library
Troubleshooting vastool errors
vastool ERROR: no PKCS#11 library specified in vas.conf
vastool ERROR: Could not get symbol 'C_GetFunctionList'
vastool ERROR: invalid ELF header
vastool ERROR: cannot open shared object file
vastool ERROR: smart card is not present in slot
vastool WARNING: "Smart card user X is not unix enabled" Issue
Troubleshooting PAM or "vastool smartcard test login" errors
Login fails when the network connectivity is down
Login fails when the system's internal clock is not synchronized
Login fails when the user account is disabled
Login fails when the user's certificate is not authorized
Troubleshooting "KDC has no support for padata type" issue
Troubleshooting "Cannot contact any KDC for requested realm" issue
Troubleshooting log errors
Log shows "clock skew problems"
Log shows "server policy does not allow them on" or "account is expired"
Log shows "Failed authentication attempt: cannot verify certificate"
Troubleshooting "Client not trusted" issue
Troubleshooting certificate lookups
Disable bootstrap and manage certificates and CRLs manually
Configuring Authentication Services for Smart Cards > Configuring certificates and CRLs > Managing certificates and CRLs > Disable bootstrap and manage certificates and CRLs manually
You can disable certificate bootstrapping and CRL downloading and distribute these items to Authentication Services clients by other means, such as Group Policy.
To disable bootstrap and manage certificates and CRLs manually
- Set the auto-crl-download, auto-crl-removal and bootstrap-trusted-certs options to false in the [pkinit] section of the /etc/opt/quest/vas/vas.conf files, as follows:
[pkinit] auto-crl-download = false auto-crl-removal = false bootstrap-trusted-certs = false
- Place the trusted certificates in the /var/opt/quest/vas/certs directory.
- Place CRLs in the /var/opt/quest/vas/crls directory.
Locking the screen saver upon card removal (macOS)
Configuring Authentication Services for Smart Cards > Locking the screen saver upon card removal (macOS)
The ability to lock the screen saver when a token is removed is a feature and function of the macOS screen saver.
To enforce this setting using Mac OS X Group Policy
-
Navigate to User Configuration | Mac OS X Settings | Preference Manifests | Screen Saver Security from the Windows administrative machine that has the Authentication Services components installed.
-
Set the following settings to ensure that the screen saver becomes locked and stays locked once the smart card is removed:
- Screensaver Require Password Delay: 0
- Require Password For Screensaver Unlock: 1
Testing Authentication Services for Smart Cards
Testing Authentication Services for Smart Cards
After you install and configure Authentication Services for Smart Cards to work with your vendor's PKCS#11 library drivers, you will want to validate your installation.
Testing general configuration and login using smart card
Testing general configuration and login using smart card
Testing Authentication Services for Smart Cards > Testing general configuration and login using smart card
This procedure tests the Authentication Services for Smart Cards installation. It ensures that the library is installed correctly, the card has been initialized, there is a valid user certificate installed, and the card can be used to log into Active Directory.
To test the Authentication Services for Smart Cards installation
- Attach a supported reader.
- Insert the initialized card.
- Run the following command.
vastool smartcard test all
If the card is configured correctly, it displays output similar to the following:
Config: ------- Checking that a PKCS#11 library is specified ... ok (Specifying PKCS#11 slot is optional) Library: -------- Testing PKCS#11 library '/usr/local/lib/libxltCk.so': Checking PKCS#11 library may be dynamically loaded ... ok Checking PKCS#11 library contains necessary symbols ... ok Checking PKCS#11 function list can be obtained ... ok Checking PKCS#11 library version is compatible ... ok Checking PKCS#11 library can be initialized ... ok Checking PKCS#11 library can be finalized ... ok Card: ----- Getting mechanisms ... ok Checking for required mechanisms ... ok Testing that card contains a user ... ok User: ----- Testing user j.doe@example.com Testing if PIN is required ... ok Enter PIN for j.doe@example.com: **** Performing login to card ... ok Generating signature ... ok Verifying signature ... ok Login: ----- Testing user j.doe@example.com Testing if PIN is required ... ok Enter PIN for j.doe@example.com: Performing login to card ... ok Creating ID for client with UPN 'j.doe@example.com' ... ok Establish initial credentials using PKCS#11 ... ok