Show Table of Contents
11.4. Setting up a Kerberos Client for Smart Cards
Smart cards can be used with Kerberos, but it requires additional configuration to recognize the X.509 (SSL) user certificates on the smart cards:
- Install the required PKI/OpenSSL package, along with the other client packages:
[root@server ~]# yum install krb5-pkinit [root@server ~]# yum install krb5-workstation krb5-libs
- Edit the
/etc/krb5.confconfiguration file to add a parameter for the public key infrastructure (PKI) to the[realms]section of the configuration. Thepkinit_anchorsparameter sets the location of the CA certificate bundle file.[realms] EXAMPLE.COM = { kdc = kdc.example.com.:88 admin_server = kdc.example.com default_domain = example.com ... pkinit_anchors = FILE:/usr/local/example.com.crt } - Add the PKI module information to the PAM configuration for both smart card authentication (
/etc/pam.d/smartcard-auth) and system authentication (/etc/pam.d/system-auth). The line to be added to both files is as follows:auth optional pam_krb5.so use_first_pass no_subsequent_prompt preauth_options=X509_user_identity=PKCS11:/usr/lib64/pkcs11/opensc-pkcs11.so
If the OpenSC module does not work as expected, use the module from the coolkey package:/usr/lib64/pkcs11/libcoolkeypk11.so. In this case, consider contacting Red Hat Technical Support or filing a Bugzilla report about the problem.
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.