23.3. Authenticating to an Identity Management System Remotely with a Smart Card

As an Identity Management user with multiple role accounts in the Identity Management server, you can authenticate with your smart card from a local system (not enrolled into the Identity Management domain) to a remote system (enrolled in the Identity Management domain) by using the ssh utility. This enables you to use the remote system as the selected role.
For information on configuring the environment to enable the authentication, see:
For information on how to authenticate, see:

23.3.1. Preparing the Local System for Smart-card Authentication

As the administrator, perform these steps on the local system:
  1. Install the opensc package: 
    # yum install opensc
  2. Make sure the pcscd service for the smart-card daemon is started and enabled: 
    # systemctl start pcscd.socket pcscd.service
# systemctl enable pcscd.socket pcscd.service
Additionally, if an external certificate authority (CA) signed the certificate on the smart card, add the smart card CA as a trusted CA:
  1. On the Identity Management server, install the CA certificate: 
    # ipa-cacert-manage -n "SmartCard CA" -t CT,C,C install ca.pem
# ipa-certupdate
    Repeat ipa-certupdate also on all replicas and clients.
  2. Restart the HTTP server on the Identity Management server: 
    # systemctl restart httpd
    Repeat systemctl restart httpd also on all replicas.

23.3.2. Preparing the Remote Identity Management System for Smart-card Authentication

As the administrator, perform these steps:
  1. Install the smart card certificate authority (CA) certificate in the /etc/pki/nssdb/ database on the remote system: 
    # certutil -A -d /etc/pki/nssdb/ -n "SmartCard CA" -t CT,C,C -i ca.pem
  2. Make sure the sssd-dbus package is installed.

23.3.3. Linking the Smart Card Certificate and the User Entry in Active Directory

If the user entry is stored in Active Directory, the administrator must link the entry with the smart card certificate. See Section 23.1.2.3, “Linking an Active Directory User Account and a Smart Card”.

23.3.4. Authenticating to the Remote System from the Local System

On the local system, perform these steps:
  1. Insert the smart card.
  2. Launch ssh, and specify the PKCS#11 library with the -I option:
    • As an Identity Management user: 
      $ ssh -I /usr/lib64/opensc-pkcs11.so -l idm_user server.idm.example.com

Enter PIN for 'PIV_II (PIV Card Holder pin)':
Last login: Thu Apr  6 12:49:32 2017 from 10.36.116.42
    • As an Active Directory user: 
      $ ssh -I /usr/lib64/opensc-pkcs11.so -l ad_user@ad.example.com server.idm.example.com

Enter PIN for 'PIV_II (PIV Card Holder pin)':
Last login: Thu Apr  6 12:49:32 2017 from 10.36.116.42
  3. Optional. Use the id utility to check that you are logged in as the intended user.
    • As an Identity Management user: 
      $ id
uid=1928200001(idm_user) gid=1928200001(idm_user) groups=1928200001(idm_user) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
    • As an Active Directory user: 
      $ id
uid=1171201116(ad_user@ad.example.com) gid=1171201116(ad_user@ad.example.com) groups=1171201116(ad_user@ad.example.com),1171200513(domain users@ad.example.com) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
If the authentication fails, see Section A.4, “Investigating Smart Card Authentication Failures”.

23.3.5. Additional Resources

  • Authentication using ssh with a smart card does not obtain a ticket-granting ticket (TGT) on the remote system. To obtain a TGT on the remote system, the administrator must configure Kerberos on the local system and enable Kerberos delegation. For an example of the required configuration, see this Kerberos knowledge base entry.
  • For details on smart-card authentication with OpenSSH, see Using Smart Cards to Supply Credentials to OpenSSH in the Security Guide.