enable smart card login in RHEL 8

Latest response

how could i can login RHEL8 with smart card? Since pam_pkcs11 pam_krb5 are not found in rhel8.

where i can find a user guide or documents to enable smart card in rhel 8?

Responses

Hi ! :)

In this knowledgebase article you might find what you're looking for : Smart Card support in RHEL8 ... :)

Regards,
Christian

Hi Christian

Thanks for your response, we followed the link but still failed to make smartcard work on Redhat 8, the following is how we setup our environment:

We have a Windows AD, domain name is 'rzview2.com'. Firstly we follow https://access.redhat.com/articles/3023951 to joined AD(replace "authconfig --update --enablesssd --enablesssdauth --enablemkhomedir" with "authselect select sssd with-smartcad"), then use 'certutil' and 'modutil' to add the certificate and pkcs11 driver(libcmP11.so) to /etc/pki/ssdb.

However the greeter doesn't show the user select page, keep prompting the password and flushing, the cancel button doesn't work, greeter show 'Sorry, that did't work. Please try again'.

We create a 'sssd.conf' with the following content, sssd service status is ok:

[sssd]
config_file_version = 2
domains = rzview2.com
services = nss, pam, pac

[domain/RZVIEW2.COM]
debug_level = 0x1310
id_provider = ad
auth_provider = ad
chpass_provider = ad
access_provider = ad

cache_credentials = true

[domain/shadowutils]
id_provider = ad

[pam]
pam_cert_auth = True

Token info

[root@rhel8sc ~]# p11tool --list-tokens 
Token 0:
        URL: pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust
        Label: System Trust
        Type: Trust module
        Flags: uPIN uninitialized
        Manufacturer: PKCS#11 Kit
        Model: p11-kit-trust
        Serial: 1
        Module: p11-kit-trust.so

Token 1:
        URL: pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=Default%20Trust
        Label: Default Trust
        Type: Trust module
        Flags: uPIN uninitialized
        Manufacturer: PKCS#11 Kit
        Model: p11-kit-trust
        Serial: 1
        Module: p11-kit-trust.so

Token 2:
        URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=00000000;token=rzview%20sc2
        Label: rzview sc2
        Type: Hardware token
        Flags: RNG, Requires login
        Manufacturer: piv_II
        Model: PKCS#15 emulated
        Serial: 00000000
        Module: opensc-pkcs11.so

GDM log dump repeatly

Jul 12 17:31:53 rhel8sc gdm[1077]: GdmManager: trying to open new session
Jul 12 17:31:53 rhel8sc gdm[1077]: GdmDBusServer: new connection 0x7f1dcc0431c0
Jul 12 17:31:53 rhel8sc gdm[1077]: GdmSession: Handling new connection from outside
Jul 12 17:31:53 rhel8sc gdm[1077]: GdmManager: client connected
Jul 12 17:31:53 rhel8sc gdm[1077]: GdmDisplay: Got timed login details for display: 0
Jul 12 17:31:53 rhel8sc gdm[1077]: GdmSession: starting conversation gdm-smartcard
Jul 12 17:31:53 rhel8sc gdm[1077]: GdmSessionWorkerJob: Starting worker...
Jul 12 17:31:53 rhel8sc gdm[1077]: GdmSessionWorkerJob: Running session_worker_job process: gdm-session-worker [pam/gdm-smartcard] /usr/libexec/gdm-session-worker
Jul 12 17:31:53 rhel8sc gdm[1077]: GdmSessionWorkerJob: : SessionWorkerJob on pid 3087
Jul 12 17:31:53 rhel8sc gdm-smartcard][3087]: Enabling debugging
Jul 12 17:31:53 rhel8sc gdm-smartcard][3087]: GdmSessionWorker: connecting to address: unix:abstract=/tmp/dbus-2jLjANh6
Jul 12 17:31:53 rhel8sc gdm[1077]: GdmDBusServer: new connection 0x7f1dcc04de00
Jul 12 17:31:53 rhel8sc gdm[1077]: GdmSession: Handling new connection from worker
Jul 12 17:31:53 rhel8sc gdm[1077]: GdmSession: Authenticating new connection
Jul 12 17:31:53 rhel8sc gdm[1077]: GdmSession: worker connection is 0x7f1dcc04de00
Jul 12 17:31:53 rhel8sc gdm[1077]: GdmSession: Emitting conversation-started signal
Jul 12 17:31:53 rhel8sc gdm[1077]: GdmManager: session conversation started for service gdm-smartcard
Jul 12 17:31:53 rhel8sc gdm[1077]: GdmSession: getting session command for file 'gnome.desktop'
Jul 12 17:31:53 rhel8sc gdm[1077]: GdmSession: checking if file 'gnome.desktop' is wayland session: yes
Jul 12 17:31:53 rhel8sc gdm[1077]: GdmSession: setting session to type 'wayland'
Jul 12 17:31:53 rhel8sc gdm[1077]: GdmSession: Beginning initialization
Jul 12 17:31:53 rhel8sc gdm[1077]: GdmSession: getting session command for file 'gnome.desktop'
Jul 12 17:31:53 rhel8sc gdm[1077]: GdmSession: checking if file 'gnome.desktop' is wayland session: yes
Jul 12 17:31:53 rhel8sc gdm[1077]: GdmSession: getting session command for file 'gnome.desktop'
Jul 12 17:31:53 rhel8sc gdm[1077]: GdmSession: Conversation started
Jul 12 17:31:53 rhel8sc gdm-smartcard][3087]: AccountsService: ActUserManager: system OS is 'rhel'
Jul 12 17:31:53 rhel8sc gdm-smartcard][3087]: AccountsService: ActUserManager: system OS version is '8.0'
Jul 12 17:31:53 rhel8sc gdm-smartcard][3087]: AccountsService: Failed to identify the current session: No data available
Jul 12 17:31:53 rhel8sc gdm-smartcard][3087]: AccountsService: ActUserManager: seat unloaded, so trying to set loaded property
Jul 12 17:31:53 rhel8sc gdm-smartcard][3087]: AccountsService: ActUserManager: Seat wouldn't load, so giving up on it and setting loaded property
Jul 12 17:31:53 rhel8sc gdm-smartcard][3087]: AccountsService: ActUserManager: already loaded, so not setting loaded property
Jul 12 17:31:53 rhel8sc gdm-smartcard][3087]: GdmSessionWorker: attempting to change state to SETUP_COMPLETE
Jul 12 17:31:53 rhel8sc gdm-smartcard][3087]: GdmSessionWorker: initializing PAM; service=gdm-smartcard username=(null) seat=seat0
Jul 12 17:31:53 rhel8sc gdm-smartcard][3087]: GdmSessionWorker: Set PAM environment variable: 'XDG_SEAT=seat0'
Jul 12 17:31:53 rhel8sc gdm-smartcard][3087]: GdmSessionWorker: state SETUP_COMPLETE
Jul 12 17:31:53 rhel8sc gdm-smartcard][3087]: GdmSessionWorker: attempting to change state to AUTHENTICATED
Jul 12 17:31:53 rhel8sc gdm-smartcard][3087]: GdmSessionWorker: authenticating user (null)
Jul 12 17:31:53 rhel8sc gdm-smartcard][3087]: GdmSessionWorker: authentication returned 7: Authentication failure
Jul 12 17:31:53 rhel8sc gdm-smartcard][3087]: GdmSessionWorker: uninitializing PAM
Jul 12 17:31:53 rhel8sc gdm-smartcard][3087]: GdmSessionWorker: jumping to VT 1
Jul 12 17:31:53 rhel8sc gdm-smartcard][3087]: GdmSessionWorker: first setting graphics mode to prevent flicker
Jul 12 17:31:53 rhel8sc gdm-smartcard][3087]: GdmSessionWorker: couldn't set graphics mode: Inappropriate ioctl for device
Jul 12 17:31:53 rhel8sc gdm-smartcard][3087]: GdmSessionWorker: VT mode did not need to be fixed
Jul 12 17:31:53 rhel8sc gdm-smartcard][3087]: GdmSessionWorker: couldn't manage VTs manually: Inappropriate ioctl for device
Jul 12 17:31:53 rhel8sc gdm-smartcard][3087]: GdmSessionWorker: couldn't initiate jump to VT 1: Inappropriate ioctl for device
Jul 12 17:31:53 rhel8sc gdm-smartcard][3087]: GdmSessionWorker: state NONE
Jul 12 17:31:53 rhel8sc gdm-smartcard][3087]: GdmSessionWorker: Unable to verify user
Jul 12 17:31:53 rhel8sc gdm[1077]: GdmSession: stopping conversation gdm-smartcard
Jul 12 17:31:53 rhel8sc gdm[1077]: GdmSessionWorkerJob: Stopping job pid:3087
Jul 12 17:31:53 rhel8sc gdm[1077]: GdmCommon: sending signal 15 to process 3087
Jul 12 17:31:53 rhel8sc gdm[1077]: GdmSessionWorkerJob: child (pid:3087) done (status:0)
Jul 12 17:31:53 rhel8sc gdm[1077]: GdmSession: Worker job exited: 0
Jul 12 17:31:53 rhel8sc gdm[1077]: GdmSession: Emitting conversation-stopped signal
Jul 12 17:31:53 rhel8sc gdm[1077]: GdmManager: session conversation 'gdm-smartcard' stopped

Is this a bug? Could you provide a step by step instructions to setup the smartcard on Redhat 8?

Hi ! :)

Unfortunately I can't help you, I suggest to contact Customer Support or to open a Support Case.

Regards,
Christian

Thanks Christian

A support case https://access.redhat.com/support/cases/#/case/02426040 has been created.

You're welcome ! Hope they it can get sorted out soon. :)

Regards,
Christian