How to configure SmartCard Authentication when using sudo ?
Environment
Red Hat Enterprise Linux
SmartCards
Issue
We already have our system correctly configured for SmartCard logins. How do we configure requiring SmartCards when authenticating to use the sudo command?
Resolution
1) In /etc/pam.d/sudo, add auth sufficient pam_pkcs11.so at the top of the file (so SmartCards are tried first):
[root@server ~]# cat /etc/pam.d/sudo
#%PAM-1.0
auth sufficient pam_pkcs11.so
auth include system-auth
account include system-auth
password include system-auth
session optional pam_keyinit.so revoke
session required pam_limits.so
2) When attempting to sudo, use the -i flag to execute an interactive shell:
[user@server ~]$ head -n 1 /etc/shadow
head: cannot open ‘/etc/shadow’ for reading: Permission denied
[user@server ~]$ sudo -i head -n 1 /etc/shadow
Smartcard authentification starts
Smart card found.
Welcome User (User PIN)!
Smart card PIN:
verifying certificate
Checking signature
root:$6$/VFrCyfM$ubPck/izOHsfSNO546ITSg.bF7JOoA665vcuTGO5RbvhB12/.X36f30vvs6geyJbKRMi3lEuL7F4og51l3pMH.:16969:0:99999:7:::
3) You may also need to add "sudo" service in "auth" section of "/etc/pam.d/system-auth" configuration file to allow smart card use :
auth [success=1 default=ignore] pam_succeed_if.so service notin login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver:sudo quiet use_uid
Root Cause
Having the auth sufficient pam_pkcs11.so line at the top of /etc/pam.d/sudo will allow SmartCard to be used for sudo authentication.
Preserving the auth include system-auth line below the pam_pkcs11.so line will retain the ability to authenticate with a password for users without SmartCards.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments