Chapter 5. Configuring smart cards using authselect
This section describes how to configure your smart card to achieve one of the following aims:
- Enable both password and smart card authentication
- Disable password and enable smart card authentication
- Enable lock on removal
Prerequisites
Authselect installed
The authselect tool configures user authentication on Linux hosts and you can use it to configure smart card authentication parameters. For details about authselect, see Configuring user authentication using authselect.
Smart Card or USB device supported by RHEL 8
For details, see Smart Card support in RHEL8.
5.1. Certificates eligible for smart cards
Before you can configure a smart card with authselect, you must import a certificate into your card. You can use the following tools to generate the certificate:
- Active Directory (AD)
Identity Management (IdM)
For details about how to create IdM certificates, see Requesting a new user certificate and exporting it to the client.
Red Hat Certificate System (RHCS)
For details, see Managing Smart Cards with the Enterprise Security Client.
Local Certification Authority. You can use a certificate generated by the Local Certification Authority if the user is not part of a domain or for testing purposes.
For details about how to create and import local certificates into a smart card, Configuring and importing local certificates to a smart card.
5.2. Enabling user password authentication to configure smart card authentication
This section describes how to enable both smart card and password authentication on your system.
Prerequisites
- The Smart card contains your certificate and private key.
- The card is inserted into the reader and connected to the computer.
-
The
authselecttool is installed on your system.
Procedure
Enter the following command to allow smart card and password authentication:
# authselect select sssd with-smartcard --force
At this point, smart card authentication is enabled, however, password authentication will work if you forget your smart card at home.
5.3. Configuring authselect to enforce smart card authentication
The authselect tool enables you to configure smart card authentication on your system and to disable the default password authentication. The authselect command must include the following options:
-
with-smartcard— enabling smart card authentication -
with-smartcard-required— enabling exclusive smart card authentication (authentication with a password is disabled)
Prerequisites
- Smart card contains your certificate and private key.
- The card is inserted into the reader and connected to the computer.
-
The
authselecttool is installed on your local system.
Procedure
Enter the following command to enforce smart card authentication:
# authselect select sssd with-smartcard with-smartcard-required --force
At this point, you can only log in with a smart card. Password authentication will not be working any more.
5.4. Configuring smart card authentication with lock on removal
The authselect service enables you to configure your smart card authentication to lock your screen instantly after removing the smart card from the reader. The authselect command must include the following variables:
-
with-smartcard— enabling smart card authentication -
with-smartcard-required— enabling exclusive smart card authentication (authentication with a password is disabled) -
with-smartcard-lock-on-removal— enforcing log out after the smart card removal
Prerequisites
- Smart card contains your certificate and private key.
- The card is inserted into the reader and connected to the computer.
-
The
authselecttool is installed on your local system.
Procedure
Enter the following command to enable smart card authentication, disable password authentication, and enforce lock on removal:
# authselect select sssd with-smartcard with-smartcard-required with-smartcard-lock-on-removal --force
Now, when you remove the card, the screen locks. You must re-insert your smart card to unlock it.