Enabling smart card support for sudo

This group policy configures sudo to require the smart card PIN for authentication instead of the user’s password. The user must be configured in the sudoers file and a smart card corresponding to the user must be presented at the time sudo is run.

If the smart card keychain is unlocked when sudo is run, sudo will not prompt for the PIN for authentication.

To enable smart card authorization for sudo

  1. Make a backup of the following files.
    • /etc/pam.d/sudo

    • /etc/pam.d/sudo.pre_cdc

  2. Create or edit an existing Group Policy Object linked to a site, domain, or OU that includes Mac OS X computers.

  3. In the Group Policy Management Editor, expand Computer Configuration > User Configuration > Policies > Centrify Settings > Mac OS X Settings > Security & Privacy, then double-click Enable smart card support for sudo.

  4. Select the Enabled option and click OK.