PIV badge smartcard support

Latest response

In our environment, smartcard (PIV) support is now a must for access to servers. Most workers have them now but using them to access RHEL machines via SSH and GDM is not easy. Currently we are painfully adding support on an ad-hoc basic to our RHEL machines, involving packages that are not available from the mainstream repositories. We need out-of-the-box, robust support for these cards; preferably in RHEL 6.

Responses

Smartcard support is currently limited at best. This would be good to have completely integrated with PAM.

 

Additionaly, a fast-track to make it easy to support new cards as they come out. This (of course) implies that all current cards should be added to the mix as well.

Add to that:

1) Ability to smart card logon from the console.  You can get it working with Gnome and ssh, but not from the console logon.

2) Integration into FreeIPA. 

 

These two items would greatly help the customers I have worked with meet security requirements.

Thanks for adding to this suggestion, Daniel.

Hi Daniel, I've been searching online for ssh support for smart cards today but with no luck.  Can you point me in the right direction for getting SSH + smart card support?

Hello,

I guess this might be helpful,  configuring smartcard authentication with openssh on Red Hat Enterprise Linux 6.

https://access.redhat.com/site/solutions/290743

Nirupama

Hi Nirupama,

Thank you very much, this is very informative.  Can I ask another?

We are currently being instructed by management that we want to "pass through" the smart card device to the Linux server from Windows (either PuTTY or another client application).  They are saying Linux should directly read the hardware device as if it were attached to the Linux server itself, and it should verify the PIN against a certificate on the Windows AD server.  Does this sound right?

Just so I'm being specific, the smart card is physically connected to a Windows computer and no smart card device is physically connected to the Linux server.  Is this possible to accomplish?

Thanks again,

Bryan

Hello Bryan,

I have previously tested this kinda setup with openssh on RHEL which worked for me. However I never tested this with putty or any other similar windows application.

Also after doing little googling on it. It seems that putty lacks support for smart-card authentication.

An enhancement request for PuTTY asking for smart card support within the original PuTTY package has been on the PuTTY wishlist for a very long time.

Addtionally please refer the following links, this may help.

http://smartcard-auth.de/ssh-en.html

http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/smartcard-auth.html

Hope this helps.

Regards,

Nirupama