Enabling Smart Card Support
Smart card authentication requires configuration changes to certain Red Hat or CentOS Linux files, depending on the version of Red Hat Linux or CentOS you are using.
For example, if you are using Red Hat Linux 5.6 or 6.0, the files affected may include the following:
/etc/pam.d/gdm/etc/pam.d/gnome-screensaver/etc/pam.d/password-auth/etc/pam.d/smartcard-auth
Smart card authentication also requires configuration changes to certain system Coolkey symbolic links such as the following:
/usr/lib(64)/libckyapplet.so.1.0.0/usr/lib(64)/pkcs11/libcoolkeypk11.so
After you enable smart card authentication, the agent makes the required changes and creates backup copies of the affected files.
The smart card components on the Linux computer are configured by default to use the Delinea Coolkey PKCS #11 module for authentication. Although this is the optimal configuration, if your smart cards are not supported by Coolkey, Delinea allows you to specify a different PKCS #11 module to use for authentication. Delinea does not supply PKCS #11 modules other than the default Coolkey module. If you need to use a third-party module, you must install it yourself.
Some PKCS #11 modules may not work seamlessly with the GDM environment. For example, some card events, such as locking the screen upon card removal, may not work.
To configure a different module, do one of the following:
- If you are enabling smart card support with group policy, you can specify an alternate PKCS #11 module when you enable the group policy; see the procedure: To enable smart card support by using group policy.
- If you are manually enabling smart card support by running
sctool, you can set a configuration parameter on each Linux computer to specify the module to use; see the procedure: To manually enable smart card and specify a different PKCS #11 module.
Steps
If you are running Red Hat Linux 6.0, you must install some support packages before enabling smart card support; see To install required packages on Red Hat Linux 6.0.
You can enable smart card authentication by either of the following methods:
- Use the “Enable smart card support” group policy, which enables smart card support on all computers to which the Group Policy object applies. Note that configuration changes do not take place until the next group policy update or when you run
adgpupdateon the Linux computers. - Run the sctool -enable utility on each computer that you want to enable for smart card support.
To install required packages on Red Hat Linux 6.0
-
Log on to a Red Hat computer with root privilege and open a terminal window.
-
Run the following command:
[root]#yum groupinstall "Smart card support"
To Enable Smart Card Support Using Group Policy
-
On a Windows computer, open Group Policy Management to create or select a Group Policy object that is linked to a site, domain, or organizational unit that includes Red Hat Linux computers; right-click the Group Policy object, then select Edit.
-
In the Group Policy Management Editor, expand Computer Configuration > Policies > Delinea Settings > Linux Settings, click Security, then double-click Enable smart card support.
-
Select Enabled, then click OK to save the policy setting, or go to the next step to change the PKCS #11 module used for authentication.
This group policy modifies Red Hat Enterprise Linux configuration files to look for a smart card user’s credentials in Active Directory and verify the identity of the user with the smart card certificate.
-
Optionally, to specify a PKCS #11 module other than the Delinea default module, type the complete path to the module in PKCS #11 Module:
Your smart card environment performs optimally when configured to use the default Coolkey module. You should specify a different module only if your smart cards are not supported by Coolkey. Otherwise, skip this step and click OK to save the group policy setting.
This field supports the use of the $LIB environment variable in the path to allow a single group policy to work for 32-bit and 64-bit systems. At run time on 32-bit systems$LIBresolves tolib, while on 64-bit systems it resolves to lib64.
For example, the following path specifies the OpenSC PKCS #11 module:
/usr/$LIB/pkcs11/opensc-pkcs11.so -
To apply the group policy immediately to any computer you must restart the computer or run the adgpupdate command on it.
Otherwise, all affected computers will be updated automatically at the next group policy update interval. After computers are restarted or receive the policy update, they are ready for smart card use.
To Manually Enable Smart Card Support Running sctool
-
Log on to a Red Hat computer with root privilege and open a terminal window.
-
Run the sctool utility with the --enable option:
[root]$ sctool --enable -
Repeat steps 1 and 2 for each computer on which to enable smart card authentication.
To Manually Enable Smart Card and Specify a Different PKCS #11 Module
-
Open the Delinea configuration file with a text editor, find the rhel.smartcard.pkcs11.module parameter, and set its value to the complete path for your PKCS #11 module.
Be certain to remove the comment for the parameter.
For example, the following parameter value sets PKCS #11 to the OpenSC module:
[user]$ vi /etc/centrifydc/centrifydc.conf...
rhel.smartcard.pkcs11.module: /usr/$LIB/pkcs11/opensc-pkcs11.so
This parameter supports the use of the $LIB environment variable in the path to allow a single path specification to work for 32-bit and 64-bit systems. At run time on 32-bit systems $LIB resolves to lib, while on 64-bit systems it resolves to lib64.
-
Save and close the file.
-
Enable, or re-enable smart card support by running the following sctool commands as root:
[root]$ sctool --disable[root]$ sctool --enable
-
Refresh the GNOME environment by running the following command as root:
[root]$ /usr/sbin/gdm-safe-restart
Next Steps
After you enable smart card support, the computer is ready for smart card authentication. You can attach a smart card reader and log in with a valid card and matching Active Directory user.
The next step is to configure one or more of the following smart card authentication options if you wish:
- Enabling support for multi-user smart card which sets the smartcard.name.mapping configuration parameter to enable the use of smart cards provisioned with multiple users on a particular computer.
- Enforcing smart card authentication which prevents users from logging on with just a user name and password.
- Configuring certificate validation which specifies how certificates are validated.
- Locking the screen if a smart card is removed which locks the screen when a smart card is removed to provide enhanced security.
If you have no other options to configure, you can go directly to Verifying smart card authentication to confirm that you can log on to one of the Linux computers that you have configured for smart card authentication.
