23.2. Authenticating to an Identity Management Client with a Smart Card
23.2.1. Smart Card-based Authentication Options Supported on Identity Management Clients
- Local authentication
- Local authentication includes authentication using:
- the text console
- the graphical console, such as the Gnome Display Manager (GDM)
- local authentication services, such as
- Remote authentication with
- Certificates on a smart card are stored together with the PIN-protected SSH private key.
23.2.2. Preparing the Identity Management Client for Smart-card Authentication
- On the server, create a shell script to configure the client.
- Use the
ipa-advise config-client-for-smart-card-authcommand, and save its output to a file:
ipa-advise config-client-for-smart-card-auth > client_smart_card_script.sh
- Open the script file, and review its contents.
- Add execute permissions to the file using the
chmod +x client_smart_card_script.sh
- Copy the script to the client, and run it. Add the path to the PEM file with the certificate authority (CA) that signed the smart card certificate:
- On the Identity Management server, install the CA certificate:
ipa-cacert-manage -n "SmartCard CA" -t CT,C,C install ca.pem#
ipa-certupdatealso on all replicas and clients.
- Restart the HTTP server:
systemctl restart httpdRepeat
systemctl restart httpdalso on all replicas.
certificate_verificationparameter, for example if the Online Certificate Status Protocol (OCSP) servers defined in the certificate are not reachable from the client. For more information, see the sssd.conf(5) man page.
23.2.3. Authenticating on an Identity Management Client with a Smart Card Using the Console Login
- When logging in from the command line:
client login: idm_user PIN for PIV Card Holder pin (PIV_II) for user firstname.lastname@example.org:
- When logging in using the Gnome Desktop Manager (GDM), GDM prompts you for the smart card PIN after you select the required user:
Figure 23.3. Entering the smart card PIN in the Gnome Desktop Manager
23.2.4. Authenticating on an Identity Management Client with a Smart Card Using SSH
sshutility, specify the path to the smart card reader module. For example:
ssh -I /usr/lib/libmypkcs11.so -l email@example.com host.example.comEnter PIN for 'Smart Card':
23.2.5. Additional Resources
- For details on smart-card authentication with OpenSSH, see Using Smart Cards to Supply Credentials to OpenSSH in the Security Guide.