9.7. Smart Cards

Authentication based on smart cards is an alternative to passwords. User credentials are stored on the smart card, and special software and hardware is used to access them. In order to authenticate this way, the user must place the smart card into a reader and then supply the PIN code for the smart card.
Red Hat Enterprise Linux 6 clients can use local smart card authentication if they run SSSD and are enrolled with an Identity Management server based on Red Hat Enterprise Linux 7.3 or later.

9.7.1. Smart Card and Smart Card Reader Support in Identity Management

If your smart card is supported by the coolkey package, the required PKCS #11 module is already present in the central /etc/pki/nssdb/ NSS database after the installation of these packages.
If your smart card is not supported, run the following steps:
  1. Add the required PKCS #11 module manually using the modutil utility. For example:
    [root@ipaclient ~]# modutil -dbdir /etc/pki/nssdb/ -add "My PKCS#11 module" -libfile libmypkcs11.so
    ...
    Module "My PKCS#11 Module" added to database.
    For detailed information on using modutil, see the modutil(1) man page.
  2. Add all certificate authority (CA) certificates to the NSS database that are required to validate the certificate on the smart card. For example, to add the CA certificate in the ca_certificate.pem file to the NSS database:
    [root@ipaclient ~]# certutil -A -d /etc/pki/nssdb/ -n 'CA certificate' -t CT,C,C -a -i ca_certificate.pem
    For detailed information on using certutil, see the certutil(1) man page.

9.7.2. Exporting a Certificate From a Smart Card

  1. Place the smart card into the reader.
  2. Run the following command to list the certificates on the smart card:
    [user@ipaclient ~]$ certutil -L -d /etc/pki/nssdb/ -h all
    Certificate Nickname         Trust Attributes
                                 SSL,S/MIME,JAR/XPI
    
    my_certificate               CT,C,C
    In the output, locate the certificate to use for authentication, and note its nickname.
  3. To extract the certificate in Base64 format to user.crt, use the nickname from the previous step:
    [user@ipaclient ~]$ certutil -L -d /etc/pki/nssdb/ -n 'my_certificate' -r | base64 -w 0 > user.crt
    The base64 utility is part of the coreutils package.

9.7.3. Storing Smart Card Certificates for IdM Users

To store a smart card certificate for a user, add the certificate on a Red Hat Enterprise Linux 7 server. See Managing Certificates Issued by External CAs in the Linux Domain Identity, Authentication, and Policy Guide.

9.7.4. Smart Card Authentication on Identity Management Clients

Red Hat Identity Management (IdM) supports two smart card-based authentication options:
Local authentication
  • Text console
  • Graphical console, such as the Gnome Display Manager (GDM)
  • Local authentication services, like su, or sudo
Remote authentication with ssh
Certificates on a smart card are stored together with the PIN-protected SSH private key.

Note

IdM only supports the above-mentioned local authentication services and ssh for smart card authentication. Other services, such as FTP, are not supported.
With SSSD-based smart card authentication configured, the system prompts for the smart card PIN code after the user attempts to log in. The user is successfully authenticated if the supplied PIN is correct, the certificate on the smart card is valid,and belongs to the user attempting to log in, and other configurable criteria are met.

9.7.4.1. Configuring Smart Card Authentication on an IdM Client

To be able to authenticate using smart cards on a client, run the following steps:
  1. To enable smart card support, allow SSSD to prompt for password, one-time password (OTP), or the smart card PIN. To do this, modify the auth lines of the /etc/pam.d/password-auth and /etc/pam.d/system-auth PAM configuration files.
    1. Remove the following lines of the default /etc/pam.d/password-auth:
      auth        required      pam_env.so
      auth        sufficient    pam_unix.so nullok try_first_pass
      auth        requisite     pam_succeed_if.so uid >= 500 quiet
      auth        sufficient    pam_sss.so use_first_pass
      auth        required      pam_deny.so
      
      Replace them with these lines:
      auth        required      pam_env.so
      auth        [default=1 success=ok] pam_localuser.so
      auth        [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass
      auth        requisite     pam_succeed_if.so uid >= 500 quiet
      auth        sufficient    pam_sss.so forward_pass
      auth        required      pam_deny.so
      
    2. Similarly, remove the following lines of the default /etc/pam.d/system-auth:
      auth        required      pam_env.so
      auth        sufficient    pam_unix.so nullok try_first_pass
      auth        requisite     pam_succeed_if.so uid >= 500 quiet
      auth        sufficient    pam_sss.so use_first_pass
      auth        required      pam_deny.so
      
      Replace them with these lines:
      auth        required      pam_env.so
      auth        [default=1 success=ok] pam_localuser.so
      auth        [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass
      auth        requisite     pam_succeed_if.so uid >= 500 quiet
      auth        sufficient    pam_sss.so forward_pass
      auth        required      pam_deny.so
      
  2. Set the following option in your /etc/sssd/sssd.conf to true:
    [pam]
    pam_cert_auth=true
  3. Restart SSSD:
    [root@ipaclient ~]# systemctl restart sssd

9.7.4.2. SSH Log in Using a Smart Card

If you are logging in with ssh when authenticating with a smart card, you have to additionally specify the following path to the smart card reader module. For example:
$ ssh -I /usr/lib/libmypkcs11.so -l user@example.com host.example.com
Enter PIN for 'Smart Card':