One of the properties that makes smart card login more secure is that it requires the physical presence of a card or token to authenticate. To secure smart card login, you must limit card access to users who are physically present at the terminal and ensure that remote users cannot access cards.
You enable smart card login by configuring the Safeguard Authentication Services PAM module pam_vas_smartcard for a given application. When the application requires authentication, it makes calls to this module which in turn communicates with the smart card and prompts the user for his PIN.
Because you can use PAM to authenticate both remote and local users, never configure smart card login for remote login applications such as SSH, telnet, or ftp. The pam_vas_smartcard module is unable to determine whether a login is from a local or remote user.
Therefore, if you enable pam_vas_smartcard on a remote login service, an attacker may be able to connect to these services and either attempt to guess the PIN of the locally inserted card, or cause denial of service by locking out the card after several attempts.
A further complication is that you can use some applications for both local and remote login (for example XDM or /bin/login).
For this reason it is not possible to enable the pam_vas_smartcard module for all applications, as you can with the normal Safeguard Authentication Services PAM module. You must decide which services to enable using the vastool smartcard configure pam command and enable these one by one.
For more information on how to secure login to these applications for local users only, see the appropriate sections below.
Note: Using Safeguard Authentication Services for Smart Cards, you cannot log in to a remote service using the local smart card with OpenSSH;, however, you can use Kerberos to log in to a remote service using Generic Security Services Application Program Interface (GSSAPI).
While PAM provides a mechanism for integrating custom authentication mechanisms, many applications are designed only to support username-based logins and password-based logins.
In general, most applications will work with Safeguard Authentication Services for Smart Cards in the following way:
- The application displays either a "Username: " or "Insert Card or enter username" prompt.
- The user enters the username that is on their card. This may be their Unix login name, or their full UPN.
- The application displays either a "PIN" or "Password" prompt.
- The user enters his PIN.
Depending on how the pam_vas_smartcard module is configured, it is possible to either login using the smart card or a local user (such as root). It is also possible to configure PAM so that a user can log in with either a smart card or with a password.
Once you have installed and configured Safeguard Authentication Services correctly, you must enable smart card login. Safeguard Authentication Services for Smart Cards provides a PAM module pam_vas_smartcard.so that allows integration of Safeguard Authentication Services for Smart Cards with PAM-aware applications. For more information on options that you can use with the Safeguard Authentication Services for Smart Cards module, see the pam_vas_smartcard(8) man page.
Note: Unlike Safeguard Authentication Services password login, smart card login is not enabled for all PAM services by default. Because some services such as SSH and telnet use PAM to authenticate users over a network, enabling smart card login for these services is undesirable. Enabling would allow an attacker to attempt to brute force the card PIN or exceed the maximum login attempts for the card causing the card to be locked. For this reason only enable PAM for services which are used for local login (such as, GDM, KDM, and dtlogin). For more information, see Security issues when configuring smart card login..
To enable smart card login
- Log in and open a root shell.
- Run the command:
vastool smartcard configure pam <service>
where <service> is the name of the service (such as, gdm or kdm) for which you want to enable smart card login.
- Depending on the service you may need to restart to log in with a smart card.