Enabling smart card support

Smart card authentication requires configuration changes to certain Red Hat or CentOS Linux files, depending on the version of Red Hat Linux or CentOS you are using.

For example, if you are using Red Hat Linux 5.6 or 6.0, the files affected may include the following:

  • /etc/pam.d/gdm
  • /etc/pam.d/gnome-screensaver
  • /etc/pam.d/password-auth
  • /etc/pam.d/smartcard-auth

Smart card authentication also requires configuration changes to certain system Coolkey symbolic links such as the following:

  • /usr/lib(64)/libckyapplet.so.1.0.0
  • /usr/lib(64)/pkcs11/libcoolkeypk11.so

After you enable smart card authentication, the agent makes the required changes and creates backup copies of the affected files.

The smart card components on the Linux computer are configured by default to use the Centrify Coolkey PKCS #11 module for authentication. Although this is the optimal configuration, if your smart cards are not supported by Coolkey, Centrify allows you to specify a different PKCS #11 module to use for authentication. Centrify does not supply PKCS #11 modules other than the default Coolkey module. If you need to use a third-party module, you must install it yourself.

Some PKCS #11 modules may not work seamlessly with the GDM environment. For example, some card events, such as locking the screen upon card removal, may not work.

To configure a different module, do one of the following:

Steps

If you are running Red Hat Linux 6.0, you must install some support packages before enabling smart card support; see To install required packages on Red Hat Linux 6.0.

You can enable smart card authentication by either of the following methods:

To install required packages on Red Hat Linux 6.0

  1. Log on to a Red Hat computer with root privilege and open a terminal window.
  2. Run the following command

    [root]#yum groupinstall "Smart card support"

To enable smart card support by using group policy

  1. On a Windows computer, open Group Policy Management to create or select a Group Policy object that is linked to a site, domain, or organizational unit that includes Red Hat Linux computers; right-click the Group Policy object, then select Edit.
  2. In the Group Policy Management Editor, expand Computer Configuration > Policies > Centrify Settings > Linux Settings, click Security, then double-click Enable smart card support.
  3. Select Enabled, then click OK to save the policy setting, or go to the next step to change the PKCS #11 module used for authentication.

    This group policy modifies Red Hat Enterprise Linux configuration files to look for a smart card user’s credentials in Active Directory and verify the identity of the user with the smart card certificate.

  4. Optionally, to specify a PKCS #11 module other than the Centrify default module, type the complete path to the module in PKCS #11 Module:

    Note:   Your smart card environment performs optimally when configured to use the default Coolkey module. You should specify a different module only if your smart cards are not supported by Coolkey. Otherwise, skip this step and click OK to save the group policy setting.

    This field supports the use of the $LIB environment variable in the path to allow a single group policy to work for 32-bit and 64-bit systems. At run time on 32-bit systems$LIBresolves tolib, while on 64-bit systems it resolves to lib64.

    For example, the following path specifies the OpenSC PKCS #11 module:

    /usr/$LIB/pkcs11/opensc-pkcs11.so
  5. To apply the group policy immediately to any computer you must restart the computer or run the adgpupdate command on it.

    Otherwise, all affected computers will be updated automatically at the next group policy update interval. After computers are restarted or receive the policy update, they are ready for smart card use.

To manually enable smart card support by running sctool

  1. Log on to a Red Hat computer with root privilege and open a terminal window.
  2. Run the sctool utility with the --enable option:

    [root]$ sctool --enable
  3. Repeat steps 1 and 2 for each computer on which to enable smart card authentication.

To manually enable smart card and specify a different PKCS #11 module

  1. Open the Centrify configuration file with a text editor, find the rhel.smartcard.pkcs11.module parameter, and set its value to the complete path for your PKCS #11 module.

    Be certain to remove the comment for the parameter.

    For example, the following parameter value sets PKCS #11 to the OpenSC module:

    [user]$ vi /etc/centrifydc/centrifydc.conf
    ...
    rhel.smartcard.pkcs11.module: /usr/$LIB/pkcs11/opensc-pkcs11.so

    This parameter supports the use of the $LIB environment variable in the path to allow a single path specification to work for 32-bit and 64-bit systems. At run time on 32-bit systems $LIB resolves to lib, while on 64-bit systems it resolves to lib64.

  2. Save and close the file.
  3. Enable, or re-enable smart card support by running the following sctool commands as root:

    [root]$ sctool --disable
    [root]$ sctool --enable
  4. Refresh the GNOME environment by running the following command as root:

    [root]$ /usr/sbin/gdm-safe-restart

Next Steps

After you enable smart card support, the computer is ready for smart card authentication. You can attach a smart card reader and log in with a valid card and matching Active Directory user.

The next step is to configure one or more of the following smart card authentication options if you wish:

If you have no other options to configure, you can go directly to Verifying smart card authentication to confirm that you can log on to one of the Linux computers that you have configured for smart card authentication.