Procedure

1. Create a directory in which you will do the configuration:

   [root@server]# mkdir ~/SmartCard/

2. Navigate to the directory:

   [root@server]# cd ~/SmartCard/

3. Obtain the relevant CA certificates stored in files in PEM format. If your CA certificate is stored in a file of a different format, such as DER, convert it to PEM format. The IdM Certificate Authority certificate is in PEM format and is located in the /etc/ipa/ca.crt file.

   Convert a DER file to a PEM file:

   # openssl x509 -in <filename>.der -inform DER -out <filename>.pem -outform PEM

4. For convenience, copy the certificates to the directory in which you want to do the configuration:

   [root@server SmartCard]# cp /tmp/rootca.pem ~/SmartCard/
   [root@server SmartCard]# cp /tmp/subca.pem ~/SmartCard/
   [root@server SmartCard]# cp /tmp/issuingca.pem ~/SmartCard/

5. Optionally, if you use certificates of external certificate authorities, use the openssl x509 utility to view the contents of the files in the PEM format to check that the Issuer and Subject values are correct:

   [root@server SmartCard]# openssl x509 -noout -text -in rootca.pem | more

6. Generate a configuration script with the in-built ipa-advise utility, using the administrator’s privileges:

   [root@server SmartCard]# kinit admin
   [root@server SmartCard]# ipa-advise config-server-for-smart-card-auth > config-server-for-smart-card-auth.sh

   The config-server-for-smart-card-auth.sh script performs the following actions:

   • It configures the IdM Apache HTTP Server.
   • It enables Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) on the Key Distribution Center (KDC).
   • It configures the IdM Web UI to accept smart card authorization requests.

7. Execute the script, adding the PEM files containing the root CA and sub CA certificates as arguments:

   [root@server SmartCard]# chmod +x config-server-for-smart-card-auth.sh
   [root@server SmartCard]# ./config-server-for-smart-card-auth.sh rootca.pem subca.pem issuingca.pem
   Ticket cache:KEYRING:persistent:0:0
   Default principal: admin@IDM.EXAMPLE.COM
   [...]
   Systemwide CA database updated.
   The ipa-certupdate command was successful

   Note

   Ensure that you add the root CA’s certificate as an argument before any sub CA certificates and that the CA or sub CA certificates have not expired.

8. Optionally, if the certificate authority that issued the user certificate does not provide any Online Certificate Status Protocol (OCSP) responder, you may need to disable OCSP check for authentication to the IdM Web UI:

   1. Set the SSLOCSPEnable parameter to off in the /etc/httpd/conf.d/ssl.conf file:

      SSLOCSPEnable off

   2. Restart the Apache daemon (httpd) for the changes to take effect immediately:

      [root@server SmartCard]# systemctl restart httpd

   Warning

   Do not disable the OCSP check if you only use user certificates issued by the IdM CA. OCSP responders are part of IdM.

   For instructions on how to keep the OCSP check enabled, and yet prevent a user certificate from being rejected by the IdM server if it does not contain the information about the location at which the CA that issued the user certificate listens for OCSP service requests, see the SSLOCSPDefaultResponder directive in Apache mod_ssl configuration options.

Procedure

1. On an IdM server, generate a configuration script with ipa-advise using the administrator’s privileges:

   [root@server SmartCard]# kinit admin
   [root@server SmartCard]# ipa-advise config-client-for-smart-card-auth > config-client-for-smart-card-auth.sh

   The config-client-for-smart-card-auth.sh script performs the following actions:

   • It configures the smart card daemon.
   • It sets the system-wide trust store.
   • It configures the System Security Services Daemon (SSSD) to allow users to authenticate with either their user name and password or with their smart card. For more details on SSSD profile options for smart card authentication, see Smart card authentication options in RHEL.

2. From the IdM server, copy the script to a directory of your choice on the IdM client machine:

   [root@server SmartCard]# scp config-client-for-smart-card-auth.sh root@client.idm.example.com:/root/SmartCard/
   Password:
   config-client-for-smart-card-auth.sh        100%   2419       3.5MB/s   00:00

3. From the IdM server, copy the CA certificate files in PEM format for convenience to the same directory on the IdM client machine as used in the previous step:

   [root@server SmartCard]# scp {rootca.pem,subca.pem,issuingca.pem} root@client.idm.example.com:/root/SmartCard/
   Password:
   rootca.pem                          100%   1237     9.6KB/s   00:00
   subca.pem                           100%   2514    19.6KB/s   00:00
   issuingca.pem                       100%   2514    19.6KB/s   00:00

4. On the client machine, execute the script, adding the PEM files containing the CA certificates as arguments:

   [root@client SmartCard]# kinit admin
   [root@client SmartCard]# chmod +x config-client-for-smart-card-auth.sh
   [root@client SmartCard]# ./config-client-for-smart-card-auth.sh rootca.pem subca.pem issuingca.pem
   Ticket cache:KEYRING:persistent:0:0
   Default principal: admin@IDM.EXAMPLE.COM
   [...]
   Systemwide CA database updated.
   The ipa-certupdate command was successful

   Note

   Ensure that you add the root CA’s certificate as an argument before any sub CA certificates and that the CA or sub CA certificates have not expired.

Procedure

1. Log into the IdM Web UI as an administrator if you want to add a certificate to another user. For adding a certificate to your own profile, you do not need the administrator’s credentials.
2. Navigate to Users → Active users → sc_user.
3. Find the Certificate option and click Add.

4. In the Command-Line Interface, display the certificate in the PEM format using the cat utility or a text editor:

   [user@client SmartCard]$ cat testuser.crt

5. Copy and paste the certificate from the CLI into the window that has opened in the Web UI.

6. Click Add.

   Figure 2.1. Adding a new certificate in the IdM Web UI

   

Procedure

1. Log into the IdM CLI as an administrator if you want to add a certificate to another user:

   [user@client SmartCard]$ kinit admin

   For adding a certificate to your own profile, you do not need the administrator’s credentials:

   [user@client SmartCard]$ kinit sc_user

2. Create an environment variable containing the certificate with the header and footer removed and concatenated into a single line, which is the format expected by the ipa user-add-cert command:

   [user@client SmartCard]$ export CERT=`openssl x509 -outform der -in testuser.crt | base64 -w0 -`

   Note that certificate in the testuser.crt file must be in the PEM format.

3. Add the certificate to the profile of sc_user using the ipa user-add-cert command:

   [user@client SmartCard]$ ipa user-add-cert sc_user --certificate=$CERT

Procedure

1. Install the opensc and gnutls-utils packages:

   # dnf -y install opensc gnutls-utils

2. Start the pcscd service.

   # systemctl start pcscd

Procedure

1. Erase your smart card and authenticate yourself with your PIN:

   $ pkcs15-init --erase-card --use-default-transport-keys
   Using reader with a card: Reader name
   PIN [Security Officer PIN] required.
   Please enter PIN [Security Officer PIN]:

   The card has been erased.

2. Initialize your smart card, set your user PIN and PUK, and your Security Officer PIN and PUK:

   $ pkcs15-init --create-pkcs15 --use-default-transport-keys \
       --pin 963214 --puk 321478 --so-pin 65498714 --so-puk 784123
   Using reader with a card: Reader name

   The pcks15-init tool creates a new slot on the smart card.

3. Set the label and the authentication ID for the slot:

   $ pkcs15-init --store-pin --label testuser \
       --auth-id 01 --so-pin 65498714 --pin 963214 --puk 321478
   Using reader with a card: Reader name

   The label is set to a human-readable value, in this case, testuser. The auth-id must be two hexadecimal values, in this case it is set to 01.

4. Store and label the private key in the new slot on the smart card:

   $ pkcs15-init --store-private-key testuser.key --label testuser_key \
       --auth-id 01 --id 01 --pin 963214
   Using reader with a card: Reader name

   Note

   The value you specify for --id must be the same when storing your private key and storing your certificate in the next step. Specifying your own value for --id is recommended as otherwise a more complicated value is calculated by the tool.

5. Store and label the certificate in the new slot on the smart card:

   $ pkcs15-init --store-certificate testuser.crt --label testuser_crt \
       --auth-id 01 --id 01 --format pem --pin 963214
   Using reader with a card: Reader name

6. (Optional) Store and label the public key in the new slot on the smart card:

   $ pkcs15-init --store-public-key testuserpublic.key
       --label testuserpublic_key --auth-id 01 --id 01 --pin 963214
   Using reader with a card: Reader name

   Note

   If the public key corresponds to a private key or certificate, specify the same ID as the ID of the private key or certificate.

7. (Optional) Certain smart cards require you to finalize the card by locking the settings:

   $ pkcs15-init -F

   At this stage, your smart card includes the certificate, private key, and public key in the newly created slot. You have also created your user PIN and PUK and the Security Officer PIN and PUK.

Procedure

1. Open the IdM Web UI in the browser.

2. Click Log In Using Certificate.

   

3. If the Password Required dialog box opens, add the PIN to unlock the smart card and click the OK button.

   The User Identification Request dialog box opens.

   If the smart card contains more than one certificate, select the certificate you want to use for authentication in the drop down list below Choose a certificate to present as identification.

4. Click the OK button.

Procedure

1. Insert the smart card in the reader.
2. Enter the smart card PIN.
3. Click Sign In.

Procedure

1. Connect from the IdM server and copy the adcs-winserver-ca.cer root certificate to the IdM server:

   root@idmserver ~]# sftp Administrator@winserver.ad.example.com
   Administrator@winserver.ad.example.com's password:
   Connected to Administrator@winserver.ad.example.com.
   sftp> cd <Path to certificates>
   sftp> ls
   adcs-winserver-ca.cer    aduser1.pfx
   sftp>
   sftp> get adcs-winserver-ca.cer
   Fetching <Path to certificates>/adcs-winserver-ca.cer to adcs-winserver-ca.cer
   <Path to certificates>/adcs-winserver-ca.cer                 100%  1254    15KB/s 00:00
   sftp quit

2. Connect from the IdM client and copy the aduser1.pfx user certificate to the client:

   [root@client1 ~]# sftp Administrator@winserver.ad.example.com
   Administrator@winserver.ad.example.com's password:
   Connected to Administrator@winserver.ad.example.com.
   sftp> cd /<Path to certificates>
   sftp> get aduser1.pfx
   Fetching <Path to certificates>/aduser1.pfx to aduser1.pfx
   <Path to certificates>/aduser1.pfx                 100%  1254    15KB/s 00:00
   sftp quit

Procedure

1. On the IdM server, use the ipa-advise script for configuring a client:

   [root@idmserver ~]# ipa-advise config-client-for-smart-card-auth > sc_client.sh

2. On the IdM server, use the ipa-advise script for configuring a server:

   [root@idmserver ~]# ipa-advise config-server-for-smart-card-auth > sc_server.sh

3. On the IdM server, execute the script:

   [root@idmserver ~]# sh -x sc_server.sh adcs-winserver-ca.cer

   • It configures the IdM Apache HTTP Server.
   • It enables Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) on the Key Distribution Center (KDC).
   • It configures the IdM Web UI to accept smart card authorization requests.

4. Copy the sc_client.sh script to the client system:

   [root@idmserver ~]# scp sc_client.sh root@client1.idm.example.com:/root
   Password:
   sc_client.sh                  100%  2857   1.6MB/s   00:00

5. Copy the Windows certificate to the client system:

   [root@idmserver ~]# scp adcs-winserver-ca.cer root@client1.idm.example.com:/root
   Password:
   adcs-winserver-ca.cer                 100%  1254   952.0KB/s   00:00

6. On the client system, run the client script:

   [root@idmclient1 ~]# sh -x sc_client.sh adcs-winserver-ca.cer

Procedure

1. On the IdM client, into the PEM format:

   [root@idmclient1 ~]# openssl pkcs12 -in aduser1.pfx -out aduser1_cert_only.pem -clcerts -nodes
   Enter Import Password:

2. Extract the key into the separate file:

   [root@idmclient1 ~]# openssl pkcs12 -in adduser1.pfx -nocerts -out adduser1.pem > aduser1.key

3. Extract the public certificate into the separate file:

   [root@idmclient1 ~]# openssl pkcs12 -in adduser1.pfx -clcerts -nokeys -out aduser1_cert_only.pem > aduser1.crt

Procedure

1. Install the opensc and gnutls-utils packages:

   # dnf -y install opensc gnutls-utils

2. Start the pcscd service.

   # systemctl start pcscd

Procedure

1. Erase your smart card and authenticate yourself with your PIN:

   $ pkcs15-init --erase-card --use-default-transport-keys
   Using reader with a card: Reader name
   PIN [Security Officer PIN] required.
   Please enter PIN [Security Officer PIN]:

   The card has been erased.

2. Initialize your smart card, set your user PIN and PUK, and your Security Officer PIN and PUK:

   $ pkcs15-init --create-pkcs15 --use-default-transport-keys \
       --pin 963214 --puk 321478 --so-pin 65498714 --so-puk 784123
   Using reader with a card: Reader name

   The pcks15-init tool creates a new slot on the smart card.

3. Set the label and the authentication ID for the slot:

   $ pkcs15-init --store-pin --label testuser \
       --auth-id 01 --so-pin 65498714 --pin 963214 --puk 321478
   Using reader with a card: Reader name

   The label is set to a human-readable value, in this case, testuser. The auth-id must be two hexadecimal values, in this case it is set to 01.

4. Store and label the private key in the new slot on the smart card:

   $ pkcs15-init --store-private-key testuser.key --label testuser_key \
       --auth-id 01 --id 01 --pin 963214
   Using reader with a card: Reader name

   Note

   The value you specify for --id must be the same when storing your private key and storing your certificate in the next step. Specifying your own value for --id is recommended as otherwise a more complicated value is calculated by the tool.

5. Store and label the certificate in the new slot on the smart card:

   $ pkcs15-init --store-certificate testuser.crt --label testuser_crt \
       --auth-id 01 --id 01 --format pem --pin 963214
   Using reader with a card: Reader name

6. (Optional) Store and label the public key in the new slot on the smart card:

   $ pkcs15-init --store-public-key testuserpublic.key
       --label testuserpublic_key --auth-id 01 --id 01 --pin 963214
   Using reader with a card: Reader name

   Note

   If the public key corresponds to a private key or certificate, specify the same ID as the ID of the private key or certificate.

7. (Optional) Certain smart cards require you to finalize the card by locking the settings:

   $ pkcs15-init -F

   At this stage, your smart card includes the certificate, private key, and public key in the newly created slot. You have also created your user PIN and PUK and the Security Officer PIN and PUK.

Procedure

1. Open the sssd.conf file:

   [root@idmclient1 ~]# vim /etc/sssd/sssd.conf

2. Change the value of p11_child_timeout:

   [pam]
   p11_child_timeout = 60

3. Change the value of krb5_auth_timeout:

   [domain/IDM.EXAMPLE.COM]
   krb5_auth_timeout = 60

4. Save the settings.

Procedure

1. Obtain the user information from the certificate. Use the openssl x509 certificate display and signing utility with:

   • the -noout option to prevent the output of an encoded version of the request
   • the -issuer option to output the issuer name
   • the -in option to specify the input file name to read the certificate from

   • the -nameopt option with the RFC2253 value to display the output with the most specific relative distinguished name (RDN) first

     If the input file contains an Identity Management certificate, the output of the command shows that the Issuer is defined using the Organisation information:

     # openssl x509 -noout -issuer -in idm_user.crt -nameopt RFC2253
     issuer=CN=Certificate Authority,O=REALM.EXAMPLE.COM

     If the input file contains an Active Directory certificate, the output of the command shows that the Issuer is defined using the Domain Component information:

     # openssl x509 -noout -issuer -in ad_user.crt -nameopt RFC2253
     issuer=CN=AD-WIN2012R2-CA,DC=AD,DC=EXAMPLE,DC=COM

2. Optionally, to create a new mapping rule in the CLI based on a matching rule which specifies that the certificate issuer must be the extracted AD-WIN2012R2-CA of the ad.example.com domain and the subject on the certificate must match the certmapdata entry in a user account in IdM:

   # ipa certmaprule-add simple_rule --matchrule '<ISSUER>CN=AD-WIN2012R2-CA,DC=AD,DC=EXAMPLE,DC=COM' --maprule '(ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>{subject_dn!nss_x500})'

Procedure

1. Install the opensc and gnutls-utils packages:

   # dnf -y install opensc gnutls-utils

2. Start the pcscd service.

   # systemctl start pcscd

Procedure

1. Erase your smart card and authenticate yourself with your PIN:

   $ pkcs15-init --erase-card --use-default-transport-keys
   Using reader with a card: Reader name
   PIN [Security Officer PIN] required.
   Please enter PIN [Security Officer PIN]:

   The card has been erased.

2. Initialize your smart card, set your user PIN and PUK, and your Security Officer PIN and PUK:

   $ pkcs15-init --create-pkcs15 --use-default-transport-keys \
       --pin 963214 --puk 321478 --so-pin 65498714 --so-puk 784123
   Using reader with a card: Reader name

   The pcks15-init tool creates a new slot on the smart card.

3. Set the label and the authentication ID for the slot:

   $ pkcs15-init --store-pin --label testuser \
       --auth-id 01 --so-pin 65498714 --pin 963214 --puk 321478
   Using reader with a card: Reader name

   The label is set to a human-readable value, in this case, testuser. The auth-id must be two hexadecimal values, in this case it is set to 01.

4. Store and label the private key in the new slot on the smart card:

   $ pkcs15-init --store-private-key testuser.key --label testuser_key \
       --auth-id 01 --id 01 --pin 963214
   Using reader with a card: Reader name

   Note

   The value you specify for --id must be the same when storing your private key and storing your certificate in the next step. Specifying your own value for --id is recommended as otherwise a more complicated value is calculated by the tool.

5. Store and label the certificate in the new slot on the smart card:

   $ pkcs15-init --store-certificate testuser.crt --label testuser_crt \
       --auth-id 01 --id 01 --format pem --pin 963214
   Using reader with a card: Reader name

6. (Optional) Store and label the public key in the new slot on the smart card:

   $ pkcs15-init --store-public-key testuserpublic.key
       --label testuserpublic_key --auth-id 01 --id 01 --pin 963214
   Using reader with a card: Reader name

   Note

   If the public key corresponds to a private key or certificate, specify the same ID as the ID of the private key or certificate.

7. (Optional) Certain smart cards require you to finalize the card by locking the settings:

   $ pkcs15-init -F

   At this stage, your smart card includes the certificate, private key, and public key in the newly created slot. You have also created your user PIN and PUK and the Security Officer PIN and PUK.

Procedure

1. Open your web browser and add the web console’s address in the address bar.

   The browser asks you to add the PIN protecting the certificate stored on the smart card.

2. In the Password Required dialog box, enter PIN and click OK.
3. In the User Identification Request dialog box, select the certificate stored in the smart card.

4. Select Remember this decision.

   The system does not open this window next time.

5. Click OK.

Procedure

1. Set up constraint delegation rules to list which hosts the ticket can access.

   Example 5.1. Setting up constraint delegation rules

   The web console session runs host host.example.com and should be trusted to access its own host with sudo. Additionally, we are adding second trusted host - remote.example.com.

   • Create the following delegation:

     • Run the following commands to add a list of target machines a particular rule can access:

       # ipa servicedelegationtarget-add cockpit-target
       # ipa servicedelegationtarget-add-member cockpit-target \
          --principals=host/host.example.com@EXAMPLE.COM \
          --principals=host/remote.example.com@EXAMPLE.COM

     • To allow web console sessions (HTTP/principal) to access that host list, run the following commands:

       # ipa servicedelegationrule-add cockpit-delegation
       # ipa servicedelegationrule-add-member cockpit-delegation \
         --principals=HTTP/host.example.com@EXAMPLE.COM
       # ipa servicedelegationrule-add-target cockpit-delegation \
         --servicedelegationtargets=cockpit-target

2. Enable GSS authentication in the corresponding services:

   1. For sudo, enable the pam_sss_gss module in the /etc/sssd/sssd.conf file:

      1. As root, add an entry for your domain to the /etc/sssd/sssd.conf configuration file.

         [domain/example.com]
         pam_gssapi_services = sudo, sudo-i

      2. Enable the module in the /etc/pam.d/sudo file on the first line.

         auth sufficient pam_sss_gss.so

   2. For SSH, update the GSSAPIAuthentication option in the /etc/ssh/sshd_config file to yes.

Verification

1. Log in to the web console using a smart card.
2. Click the Limited access button.
3. Authenticate using your smart card.

1. Try to connect to a different host with SSH.

Procedure

1. In the terminal, open the system-cockpithttps.slice configuration file:

   # systemctl edit system-cockpithttps.slice

2. Limit the TasksMax to 100 and CPUQuota to 30%:

   [Slice]
   # change existing value
   TasksMax=100
   # add new restriction
   CPUQuota=30%

3. To apply the changes, restart the system:

   # systemctl daemon-reload
   # systemctl stop cockpit

Procedure

1. Create a directory where you can generate the certificate, for example:

   # mkdir /tmp/ca
   # cd /tmp/ca

2. Set up the certificate (copy this text to your command line in the ca directory):

   cat > ca.cnf <<EOF
   [ ca ]
   default_ca = CA_default
   
   [ CA_default ]
   dir              = .
   database         = \$dir/index.txt
   new_certs_dir    = \$dir/newcerts
   
   certificate      = \$dir/rootCA.crt
   serial           = \$dir/serial
   private_key      = \$dir/rootCA.key
   RANDFILE         = \$dir/rand
   
   default_days     = 365
   default_crl_days = 30
   default_md       = sha256
   
   policy           = policy_any
   email_in_dn      = no
   
   name_opt         = ca_default
   cert_opt         = ca_default
   copy_extensions  = copy
   
   [ usr_cert ]
   authorityKeyIdentifier = keyid, issuer
   
   [ v3_ca ]
   subjectKeyIdentifier   = hash
   authorityKeyIdentifier = keyid:always,issuer:always
   basicConstraints       = CA:true
   keyUsage               = critical, digitalSignature, cRLSign, keyCertSign
   
   [ policy_any ]
   organizationName       = supplied
   organizationalUnitName = supplied
   commonName             = supplied
   emailAddress           = optional
   
   [ req ]
   distinguished_name = req_distinguished_name
   prompt             = no
   
   [ req_distinguished_name ]
   O  = Example
   OU = Example Test
   CN = Example Test CA
   EOF

3. Create the following directories:

   # mkdir certs crl newcerts

4. Create the following files:

   # touch index.txt crlnumber index.txt.attr

5. Write the number 01 in the serial file:

   # echo 01 > serial

   This command writes a number 01 in the serial file. It is a serial number of the certificate. With each new certificate released by this CA the number increases by one.

6. Create an OpenSSL root CA key:

   # openssl genrsa -out rootCA.key 2048

7. Create a self-signed root Certification Authority certificate:

   # openssl req -batch -config ca.cnf \
       -x509 -new -nodes -key rootCA.key -sha256 -days 10000 \
       -set_serial 0 -extensions v3_ca -out rootCA.crt

8. Create the key for your username:

   # openssl genrsa -out example.user.key 2048

   This key is generated in the local system which is not secure, therefore, remove the key from the system when the key is stored in the card.

   You can create a key directly in the smart card as well. For doing this, follow instructions created by the manufacturer of your smart card.

9. Create the certificate signing request configuration file (copy this text to your command line in the ca directory):

   cat > req.cnf <<EOF
   [ req ]
   distinguished_name = req_distinguished_name
   prompt = no
   
   [ req_distinguished_name ]
   O = Example
   OU = Example Test
   CN = testuser
   
   [ req_exts ]
   basicConstraints = CA:FALSE
   nsCertType = client, email
   nsComment = "testuser"
   subjectKeyIdentifier = hash
   keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
   extendedKeyUsage = clientAuth, emailProtection, msSmartcardLogin
   subjectAltName = otherName:msUPN;UTF8:testuser@EXAMPLE.COM, email:testuser@example.com
   EOF

10. Create a certificate signing request for your example.user certificate:

    # openssl req -new -nodes -key example.user.key \
        -reqexts req_exts -config req.cnf -out example.user.csr

11. Configure the new certificate. Expiration period is set to 1 year:

    # openssl ca -config ca.cnf -batch -notext \
        -keyfile rootCA.key -in example.user.csr -days 365 \
        -extensions usr_cert -out example.user.crt

Procedure

1. Ensure that you have SSSD installed on the system.

   # rpm -q sssd
   sssd-2.0.0.43.el8_0.3.x86_64

2. Create a /etc/sssd/pki directory:

   # file /etc/sssd/pki
   /etc/sssd/pki/: directory

3. Copy the rootCA.crt as a PEM file in the /etc/sssd/pki/ directory:

   # cp /tmp/ca/rootCA.crt /etc/sssd/pki/sssd_auth_ca_db.pem

Procedure

1. Install the opensc and gnutls-utils packages:

   # dnf -y install opensc gnutls-utils

2. Start the pcscd service.

   # systemctl start pcscd

Procedure

1. Erase your smart card and authenticate yourself with your PIN:

   $ pkcs15-init --erase-card --use-default-transport-keys
   Using reader with a card: Reader name
   PIN [Security Officer PIN] required.
   Please enter PIN [Security Officer PIN]:

   The card has been erased.

2. Initialize your smart card, set your user PIN and PUK, and your Security Officer PIN and PUK:

   $ pkcs15-init --create-pkcs15 --use-default-transport-keys \
       --pin 963214 --puk 321478 --so-pin 65498714 --so-puk 784123
   Using reader with a card: Reader name

   The pcks15-init tool creates a new slot on the smart card.

3. Set the label and the authentication ID for the slot:

   $ pkcs15-init --store-pin --label testuser \
       --auth-id 01 --so-pin 65498714 --pin 963214 --puk 321478
   Using reader with a card: Reader name

   The label is set to a human-readable value, in this case, testuser. The auth-id must be two hexadecimal values, in this case it is set to 01.

4. Store and label the private key in the new slot on the smart card:

   $ pkcs15-init --store-private-key testuser.key --label testuser_key \
       --auth-id 01 --id 01 --pin 963214
   Using reader with a card: Reader name

   Note

   The value you specify for --id must be the same when storing your private key and storing your certificate in the next step. Specifying your own value for --id is recommended as otherwise a more complicated value is calculated by the tool.

5. Store and label the certificate in the new slot on the smart card:

   $ pkcs15-init --store-certificate testuser.crt --label testuser_crt \
       --auth-id 01 --id 01 --format pem --pin 963214
   Using reader with a card: Reader name

6. (Optional) Store and label the public key in the new slot on the smart card:

   $ pkcs15-init --store-public-key testuserpublic.key
       --label testuserpublic_key --auth-id 01 --id 01 --pin 963214
   Using reader with a card: Reader name

   Note

   If the public key corresponds to a private key or certificate, specify the same ID as the ID of the private key or certificate.

7. (Optional) Certain smart cards require you to finalize the card by locking the settings:

   $ pkcs15-init -F

   At this stage, your smart card includes the certificate, private key, and public key in the newly created slot. You have also created your user PIN and PUK and the Security Officer PIN and PUK.

Procedure

1. Create a new directory for SSH keys in the home directory of the user who uses smart card authentication:

   # mkdir /home/example.user/.ssh

2. Run the ssh-keygen -D command with the opensc library to retrieve the existing public key paired with the private key on the smart card, and add it to the authorized_keys list of the user’s SSH keys directory to enable SSH access with smart card authentication.

   # ssh-keygen -D /usr/lib64/pkcs11/opensc-pkcs11.so >> ~example.user/.ssh/authorized_keys

3. SSH requires access right configuration for the /.ssh directory and the authorized_keys file. To set or change the access rights, enter:

   # chown -R example.user:example.user ~example.user/.ssh/
   # chmod 700 ~example.user/.ssh/
   # chmod 600 ~example.user/.ssh/authorized_keys

4. Optionally, display the keys:

   # cat ~example.user/.ssh/authorized_keys

   The terminal displays the keys.

5. Verify that the smart card authentication is enabled in the /etc/sssd/sssd.conf file:

   In the [pam] section, enable the pam certificate authentication module: pam_cert_auth = True

   If the sssd.conf file has not been created yet, you can create the minimal functional configuration by copying the following script to the command line:

   # cat > /etc/sssd/sssd.conf <<EOF
   [sssd]
   services = nss, pam
   domains = shadowutils
   
   [nss]
   
   [pam]
   pam_cert_auth = True
   
   [domain/shadowutils]
   id_provider = files
   EOF

6. To use the SSH keys, configure authentication with the authselect command:

   # authselect select sssd with-smartcard --force

Procedure

1. Create a sudo rule named adminrule to allow a user to run commands.

   ipa sudorule-add adminrule

2. Add less and whoami as sudo commands:

   ipa sudocmd-add /usr/bin/less
   ipa sudocmd-add /usr/bin/whoami

3. Add the less and whoami commands to the adminrule:

   ipa sudorule-add-allow-command adminrule --sudocmds /usr/bin/less
   ipa sudorule-add-allow-command adminrule --sudocmds /usr/bin/whoami

4. Add the ipauser1 user to the adminrule:

   ipa sudorule-add-user adminrule --users ipauser1

5. Add the host on which you are running sudo to the adminrule:

   ipa sudorule-add-host adminrule --hosts server.ipa.test

Procedure

1. Install the PAM SSH agent:

   dnf -y install pam_ssh_agent_auth

2. Add the authorized_keys_command for pam_ssh_agent_auth.so to the /etc/pam.d/sudo file before any other auth entry:

   #%PAM-1.0
   auth sufficient pam_ssh_agent_auth.so authorized_keys_command=/usr/bin/sss_ssh_authorizedkeys
   auth       include      system-auth
   account    include      system-auth
   password   include      system-auth
   session    include      system-auth

3. To enable the SSH agent forwarding to work when you run sudo commands, add the following to the /etc/sudoers file:

   Defaults env_keep += "SSH_AUTH_SOCK"

   This allows users who have their public keys from smart cards stored in IPA/SSSD to authenticate to sudo without entering a password.

4. Restart the sssd service:

   systemctl restart sssd

Procedure

1. Start the SSH agent (if not already running).

   eval `ssh-agent`

2. Add your smart card to the SSH agent. Enter your PIN when prompted:

   ssh-add -s /usr/lib64/opensc-pkcs11.so

3. Connect via SSH with ssh-agent forwarding enabled (using the -A option) to the system where you are going to run sudo remotely:

   ssh -A ipauser1@server.ipa.test

Procedure

1. Using the lsusb command, verify that the smart card reader is visible to the operating system:

   $ lsusb
   Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
   Bus 001 Device 003: ID 072f:b100 Advanced Card Systems, Ltd ACR39U
   Bus 001 Device 002: ID 0627:0001 Adomax Technology Co., Ltd
   Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub

   For more information on the smart cards and readers tested and supported in RHEL, see Smart Card support in RHEL 9.

2. Ensure that the pcscd service and socket are enabled and running:

   $ systemctl status pcscd.service pcscd.socket
   
   ● pcscd.service - PC/SC Smart Card Daemon
         Loaded: loaded (/usr/lib/systemd/system/pcscd.service; indirect;
   vendor preset: disabled)
         Active: active (running) since Fri 2021-09-24 11:05:04 CEST; 2
   weeks 6 days ago
   TriggeredBy: ● pcscd.socket
           Docs: man:pcscd(8)
       Main PID: 3772184 (pcscd)
          Tasks: 12 (limit: 38201)
         Memory: 8.2M
            CPU: 1min 8.067s
         CGroup: /system.slice/pcscd.service
                 └─3772184 /usr/sbin/pcscd --foreground --auto-exit
   
   ● pcscd.socket - PC/SC Smart Card Daemon Activation Socket
         Loaded: loaded (/usr/lib/systemd/system/pcscd.socket; enabled;
   vendor preset: enabled)
         Active: active (running) since Fri 2021-09-24 11:05:04 CEST; 2
   weeks 6 days ago
       Triggers: ● pcscd.service
         Listen: /run/pcscd/pcscd.comm (Stream)
         CGroup: /system.slice/pcscd.socket

3. Using the p11-kit list-modules command, display information about the configured smart card and the tokens present on the smart card:

   $ p11-kit list-modules
   p11-kit-trust: p11-kit-trust.so
   [...]
   opensc: opensc-pkcs11.so
       library-description: OpenSC smartcard framework
       library-manufacturer: OpenSC Project
       library-version: 0.20
       token: MyEID (sctest)
           manufacturer: Aventra Ltd.
           model: PKCS#15
           serial-number: 8185043840990797
           firmware-version: 40.1
           flags:
                  rng
                  login-required
                  user-pin-initialized
                  token-initialized

4. Verify you can access the contents of your smart card:

   $ pkcs11-tool --list-objects --login
   Using slot 0 with a present token (0x0)
   Logging in to "MyEID (sctest)".
   Please enter User PIN:
   Private Key Object; RSA
     label:      Certificate
     ID:         01
     Usage:      sign
     Access:     sensitive
   Public Key Object; RSA 2048 bits
     label:      Public Key
     ID:         01
     Usage:      verify
     Access:     none
   Certificate Object; type = X.509 cert
     label:      Certificate
     subject:    DN: O=IDM.EXAMPLE.COM, CN=idmuser1
     ID:         01

5. Display the contents of the certificate on your smart card using the certutil command:

   1. Run the following command to determine the correct name of your certificate:

      $ certutil -d /etc/pki/nssdb -L -h all
      
      Certificate Nickname                                         Trust Attributes
                                                                   SSL,S/MIME,JAR/XPI
      
      Enter Password or Pin for "MyEID (sctest)":
      Smart Card CA 0f5019a8-7e65-46a1-afe5-8e17c256ae00           CT,C,C
      MyEID (sctest):Certificate                                   u,u,u

   2. Display the contents of the certificate on your smart card:

      Note

      Ensure the name of the certificate is an exact match for the output displayed in the previous step, in this example MyEID (sctest):Certificate.

      $ certutil -d /etc/pki/nssdb -L -n "MyEID (sctest):Certificate"
      
      Enter Password or Pin for "MyEID (sctest)":
      Certificate:
          Data:
              Version: 3 (0x2)
              Serial Number: 15 (0xf)
              Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
              Issuer: "CN=Certificate Authority,O=IDM.EXAMPLE.COM"
              Validity:
                  Not Before: Thu Sep 30 14:01:41 2021
                  Not After : Sun Oct 01 14:01:41 2023
              Subject: "CN=idmuser1,O=IDM.EXAMPLE.COM"
              Subject Public Key Info:
                  Public Key Algorithm: PKCS #1 RSA Encryption
                  RSA Public Key:
                      Modulus:
                          [...]
                      Exponent: 65537 (0x10001)
              Signed Extensions:
                  Name: Certificate Authority Key Identifier
                  Key ID:
                      e2:27:56:0d:2f:f5:f2:72:ce:de:37:20:44:8f:18:7f:
                      2f:56:f9:1a
      
                  Name: Authority Information Access
                  Method: PKIX Online Certificate Status Protocol
                  Location:
                      URI: "http://ipa-ca.idm.example.com/ca/ocsp"
      
                  Name: Certificate Key Usage
                  Critical: True
                  Usages: Digital Signature
                          Non-Repudiation
                          Key Encipherment
                          Data Encipherment
      
                  Name: Extended Key Usage
                      TLS Web Server Authentication Certificate
                      TLS Web Client Authentication Certificate
      
                  Name: CRL Distribution Points
                  Distribution point:
                      URI: "http://ipa-ca.idm.example.com/ipa/crl/MasterCRL.bin"
                      CRL issuer:
                          Directory Name: "CN=Certificate Authority,O=ipaca"
      
                  Name: Certificate Subject Key ID
                  Data:
                      43:23:9f:c1:cf:b1:9f:51:18:be:05:b5:44:dc:e6:ab:
                      be:07:1f:36
      
          Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
          Signature:
              [...]
          Fingerprint (SHA-256):
              6A:F9:64:F7:F2:A2:B5:04:88:27:6E:B8:53:3E:44:3E:F5:75:85:91:34:ED:48:A8:0D:F0:31:5D:7B:C9:E0:EC
          Fingerprint (SHA1):
              B4:9A:59:9F:1C:A8:5D:0E:C1:A2:41:EC:FD:43:E0:80:5F:63:DF:29
      
          Mozilla-CA-Policy: false (attribute missing)
          Certificate Trust Flags:
              SSL Flags:
                  User
              Email Flags:
                  User
              Object Signing Flags:
                  User

Procedure

1. Verify you can authenticate with your smart card using su:

   $ su - idmuser1 -c ‘su - idmuser1 -c whoami’
   PIN for MyEID (sctest):
   idmuser1

   If you are not prompted for the smart card PIN, and either a password prompt or an authorization error are returned, check the SSSD logs. See Troubleshooting authentication with SSSD in IdM for information on logging in SSSD. The following is an example of an authentication failure:

   $ su - idmuser1 -c ‘su - idmuser1 -c whoami’
   PIN for MyEID (sctest):
   su: Authentication failure

   If the SSSD logs indicate an issue from the krb5_child, similar to the following, you may have an issue with your CA certificates. To troubleshoot issues with certificates, see Verifying that IdM Kerberos KDC can use Pkinit and that the CA certificates are correctly located.

   [Pre-authentication failed: Failed to verify own certificate (depth 0): unable to get local issuer certificate: could not load the shared library]

   If the SSSD logs indicate a timeout either from p11_child or krb5_child, you may need to increase the SSSD timeouts and try authenticating again with your smart card. See Increasing SSSD timeouts for details on how to increase the timeouts.

2. Verify your GDM smart card authentication configuration is correct. A success message for PAM authentication should be returned as shown below:

   # sssctl user-checks -s gdm-smartcard "idmuser1" -a auth
   user: idmuser1
   action: auth
   service: gdm-smartcard
   
   SSSD nss user lookup result:
    - user name: idmuser1
    - user id: 603200210
    - group id: 603200210
    - gecos: idm user1
    - home directory: /home/idmuser1
    - shell: /bin/sh
   
   SSSD InfoPipe user lookup result:
    - name: idmuser1
    - uidNumber: 603200210
    - gidNumber: 603200210
    - gecos: idm user1
    - homeDirectory: /home/idmuser1
    - loginShell: /bin/sh
   
   testing pam_authenticate
   
   PIN for MyEID (sctest)
   pam_authenticate for user [idmuser1]: Success
   
   PAM Environment:
    - PKCS11_LOGIN_TOKEN_NAME=MyEID (sctest)
    - KRB5CCNAME=KCM:

   If an authentication error, similar to the following, is returned, check the SSSD logs to try and determine what is causing the issue. See Troubleshooting authentication with SSSD in IdM for information on logging in SSSD.

   pam_authenticate for user [idmuser1]: Authentication failure
   
   PAM Environment:
    - no env -

   If PAM authentication continues to fail, clear your cache and run the command again.

   # sssctl cache-remove
   SSSD must not be running. Stop SSSD now? (yes/no) [yes] yes
   Creating backup of local data…
   Removing cache files…
   SSSD needs to be running. Start SSSD now? (yes/no) [yes] yes

Procedure

1. Run the kinit utility to authenticate as the idmuser1 with the certificate stored on your smart card:

   $ kinit -X X509_user_identity=PKCS11: idmuser1
   MyEID (sctest)                   PIN:

2. Enter your smart card PIN. If you are not prompted for your PIN, check that you can detect your smart card reader and display the contents of your smart card. See Testing smart card authentication.

3. If your PIN is accepted and you are then prompted for your password, you might be missing your CA signing certificate.

   1. Verify the CA chain is listed in the default certificate bundle file using openssl commands:

      $ openssl crl2pkcs7 -nocrl -certfile /var/lib/ipa-client/pki/ca-bundle.pem | openssl pkcs7 -print_certs -noout
      subject=O = IDM.EXAMPLE.COM, CN = Certificate Authority
      
      issuer=O = IDM.EXAMPLE.COM, CN = Certificate Authority

   2. Verify the validity of your certificates:

      1. Find the user authentication certificate ID for idmuser1:

         $ pkcs11-tool --list-objects --login
         [...]
         Certificate Object; type = X.509 cert
           label:      Certificate
           subject:    DN: O=IDM.EXAMPLE.COM, CN=idmuser1
          ID: 01

      2. Read the user certificate information from the smart card in DER format:

         $ pkcs11-tool --read-object --id 01 --type cert --output-file cert.der
         Using slot 0 with a present token (0x0)

      3. Convert the DER certificate to PEM format:

         $ openssl x509 -in cert.der -inform DER -out cert.pem -outform PEM

      4. Verify the certificate has valid issuer signatures up to the CA:

         $ openssl verify -CAfile /var/lib/ipa-client/pki/ca-bundle.pem <path>/cert.pem
         cert.pem: OK

4. If your smart card contains several certificates, kinit might fail to choose the correct certificate for authentication. In this case, you need to specify the certificate ID as an argument to the kinit command using the certid=<ID> option.

   1. Check how many certificates are stored on the smart card and get the certificate ID for the one you are using:

      $ pkcs11-tool --list-objects --type cert --login
      Using slot 0 with a present token (0x0)
      Logging in to "MyEID (sctest)".
      Please enter User PIN:
      Certificate Object; type = X.509 cert
        label:      Certificate
        subject:    DN: O=IDM.EXAMPLE.COM, CN=idmuser1
        ID:         01
      Certificate Object; type = X.509 cert
        label:      Second certificate
        subject:    DN: O=IDM.EXAMPLE.COM, CN=ipauser1
        ID:         02

   2. Run kinit with certificate ID 01:

      $ kinit -X kinit -X X509_user_identity=PKCS11:certid=01 idmuser1
      MyEID (sctest)                   PIN:

5. Run klist to view the contents of the Kerberos credentials cache:

   $ klist
   Ticket cache: KCM:0:11485
   Default principal: idmuser1@EXAMPLE.COM
   
   Valid starting       Expires              Service principal
   10/04/2021 10:50:04  10/05/2021 10:49:55  krbtgt/EXAMPLE.COM@EXAMPLE.COM

6. Destroy your active Kerberos tickets once you have finished:

   $ kdestroy -A

Procedure

1. Open the sssd.conf file on the IdM client:

   # vim /etc/sssd/sssd.conf

2. In your domain section, for example [domain/idm.example.com], add the following option:

   krb5_auth_timeout = 60

3. In the [pam] section, add the following:

   p11_child_timeout = 60

4. Clear the SSSD cache:

   # sssctl cache-remove
   SSSD must not be running. Stop SSSD now? (yes/no) [yes] yes
   Creating backup of local data…
   Removing cache files…
   SSSD needs to be running. Start SSSD now? (yes/no) [yes] yes