Chapter 7. Configuring smart card authentication using authselect

This section describes how to configure your smart card to achieve one of the following aims:

  • Enable both password and smart card authentication
  • Disable password and enable smart card authentication
  • Enable lock on removal

Prerequisites

7.1. Certificates eligible for smart cards

Before you can configure a smart card with authselect, you must import a certificate into your card. You can use the following tools to generate the certificate:

7.2. Configure your system to enable both smart card and password authentication

This section describes how to enable both smart card and password authentication on your system.

Prerequisites

  • The Smart card contains your certificate and private key.
  • The card is inserted into the reader and connected to the computer.
  • The authselect tool is installed on your system.

Procedure

  • Enter the following command to allow smart card and password authentication: 

    # authselect select sssd with-smartcard --force

At this point, smart card authentication is enabled, however, password authentication will work if you forget your smart card at home.

7.3. Configuring your system to enforce smart card authentication

The authselect tool enables you to configure smart card authentication on your system and to disable the default password authentication. The authselect command includes the following options:

  • with-smartcard — enables smart card authentication in addition to password authentication
  • with-smartcard-required  — enables smart card authentication and disables password authentication
Note

The with-smartcard-required option only enforces exclusive smart card authentication for login services, such as login, gdm, xdm, kdm, xscreensaver, gnome-screensaver, and kscreensaver. Other services, such as su or sudo for switching users, do not use smart card authentication by default and will continue to prompt you for a password.

Prerequisites

  • Smart card contains your certificate and private key.
  • The card is inserted into the reader and connected to the computer.
  • The authselect tool is installed on your local system.

Procedure

  • Enter the following command to enforce smart card authentication: 

    # authselect select sssd with-smartcard  with-smartcard-required --force
Note

Once you run this command, password authentication will no longer work and you can only log in with a smart card. Ensure smart card authentication is working before running this command or you may be locked out of your system.

7.4. Configuring smart card authentication with lock on removal

The authselect service enables you to configure your smart card authentication to lock your screen instantly after removing the smart card from the reader. The authselect command must include the following variables:

  • with-smartcard — enabling smart card authentication
  • with-smartcard-required — enabling exclusive smart card authentication (authentication with a password is disabled)

  • with-smartcard-lock-on-removal — enforcing log out after the smart card removal

    Note

    The with-smartcard-lock-on-removal option only works on systems with the GNOME desktop environment. If you are using a system that is tty or console based and you remove your smart card from its reader, you are not automatically locked out of the system.

Prerequisites

  • Smart card contains your certificate and private key.
  • The card is inserted into the reader and connected to the computer.
  • The authselect tool is installed on your local system.

Procedure

  • Enter the following command to enable smart card authentication, disable password authentication, and enforce lock on removal: 

    # authselect select sssd  with-smartcard  with-smartcard-required with-smartcard-lock-on-removal --force

Now, when you remove the card, the screen locks. You must re-insert your smart card to unlock it.