Better Smart Card Support

Latest response

Smart Card support is *VERY* important.  While RHEL 5 and 6 currently support Smart Cards, getting them up and running is a PITA. 

 

The DoD lives by Smart Cards, and Red Hat's DoD customers would be very happy if Red Hat improved their smart card support to make it:

  1. Easier to set up DoD CAC Card login capabilities
  2. SSH support for CAC Cards
  3. Smart-card authentication for Windows network shares

Please note: Kerberos and LDAP smart card support is not always doable on DoD systems due to political reasons (getting approval from people who generally say 'no' to everything).  If, however, Red Hat can make connecting to an AD server as seamless as possible, and even tie in smart card support for that, you will have a lot of happy DoD customers.

MG
Log in to join the conversation

Responses

MM Newbie 14 points
31 July 2015 3:13 PM

Michael,

Did you ever make any progress with this implementation?
IM Red Hat Active Contributor 147 points
12 August 2015 9:56 PM

So we are finally taking steps into this direction. Check 7.2 beta for use cases 1) & 2) using SSSD and IdM.
For 3) AFAIU the only option is to authenticated with a certificate, get a Kerberos ticket and then SSO. This part needs to be deferred till later in SSSD/IdM.
However pam_pkcs11 and pam_krb5 can be used. Pam_pkcs11 got a patch (https://bugzilla.redhat.com/show_bug.cgi?id=1163922) to have a better user mapping and not traverse the whole directory so even without SSSD where SC support would be fully integrated the next version should bring better options than in the past.

GK Newbie 5 points
4 November 2017 7:10 AM

I have RHEL6 and cannot seem to get the smart card login set up correctly, despite following directions laid out in https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/enabling-smart-card-login.html. I am simply trying enable DoD CAC login to the workstation, but authentication keeps failing. Is there a simple solution for local user mapping to the token so that I can login with a token even when offline?

IM Red Hat Active Contributor 147 points
6 November 2017 12:41 AM

Hello,

Have you had a chance to take a look at the recent blogs about smart cards: http://rhelblog.redhat.com/2017/10/06/picking-your-deployment-architecture/ Did you follow the provided references?

Local user mapping would have to be done using local mapping file and pam_pkcs11 module. It would not scale if you need to do it for more than one system. Keeping these files up to date across multiple systems is the main reason IdM and SSSD added more support for central SC management.

Thank you, Dmitri

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.