Before Configuring Smart Card Authentication

To use a smart card to log on to a Red Hat Linux, CentOS, Debian, or Ubuntu computer, verify that the computers meet these requirements:

  • Supported operating systems:

    • Red Hat Linux (amd64) version 5.6 or later

    • CentOS (amd64) version 5.6 or later

    • Ubuntu 18.04.x LTS, 20.04.x LTS, 21.04, 22.04.x LTS and 22.10 (amd64)

    • Debian 9.x and 10.x or later(amd64)

    • Oracle Linux 8 or later (amd64)

    • Rocky Linux (amd64)

    • AlmaLinux (amd64)

      For Debian and Ubuntu systems, be sure to have the opensc-pkcs11, pcscd, and libnss3-tools packages installed.

  • Are running the GNOME desktop. The agent does not support use of a smart card with the KDE desktop.

  • If a system is running RedHat Linux or CentOS 8.0 or later, the system needs Server Suite Agent for *NIX version 5.7.0 or later.

  • If a system is running Debian or Ubuntu, the system needs Server Suite Agent for *NIX version 5.8.0 or later.

  • Are joined to the Windows domain.

  • Have a supported smart card reader attached.

Other prerequisites for enabling smart card support differ depending on whether you have configured a single-user or multi-user smart card.

For a single-user card, before enabling smart card support, make sure you do the following:

  • Provision a smart card with an implicit or explicit certificate-to-user mapping.

    • Currently, Server Suite Agent for *NIX supports Common Access Card (CAC) and Personal Identify Verification (PIV) cards with both CAC and PIV profiles (CACNG) and Alternative Logon Token (ALT) smart cards.

    • Server Suite Agent for *NIX supports implicit certificate-to-user mapping where the certificate's Principal Name in the Subject Alternative Name (SAN) matches the user's userPrincipalName (UPN) or Kerberos v5 principal name in Active Directory (AD).

    • Alternatively, explicit mapping by way of the user's altSecurityIdentities AD attribute is also supported.

      Mapping one certificate to multiple users is not supported.

  • Verify that the Active Directory user is successfully mapped by running the sctool --dump command.

For a multi-user card, before enabling smart card support, make sure you have the following in place:

  • A Windows Server 2008, or later, domain controller for authentication.

  • The card is not configured with a UPN. If a card with a UPN is inserted, the computer prompts for a PIN rather than prompting for a user name and password.

  • An administrator has added the certificate on the card to the name mapping for the users the card is associated to. See the following Microsoft Technet Blog postMapping One Smart Card to Multiple Accounts for more information on how to do this.

PKINIT supports only the RSA algorithm.

For either type of card, verify that the public key infrastructure to support smart card login is operational on the Windows computer running Active Directory and Access Manager. If the user is able to log in to a Windows computer with a smart card, and you have a card reader and a fully-provisioned card for the Linux computer, the user should be able to log in to the Linux computer once you configure it for smart card support.

Although the Linux computer has its own infrastructure for enabling and managing smart card authentication, the Server Suite Agent for *NIX and smart card utility (sctool) enable authentication through Active Directory. After you enable smart card support through the Server Suite Agent, the Red Hat smart card configuration options have no effect.