Configuring smart card authentication

You configure Red Hat Linux computers for smart card authentication primarily through group policy settings. Enabling support for smart cards requires that you set a single policy (“Enable smart card support”). Supporting the use of multi-user smart cards requires that you set a configuration parameter on each Red Hat computer. In addition, Centrify Authentication Service, Privilege Elevation Service, and Audit & Monitoring Service provides several group policies to control how smart card authentication works after you enable it.

Complete the procedures in the following sections to configure smart card authentication for Red Hat Linux computers:

  • Enabling smart card support in which you enable smart card authentication for Active Directory users. This is the only procedure you need to complete to enable smart card authentication. The other procedures allow you to configure different aspects of smart card authentication, such as locking the screen if the smart card is removed, or preventing users from logging in without a smart card.
  • Enabling support for multi-user smart cards in which you set the smartcard.name.mapping configuration parameter to enable the use of smart cards provisioned with multiple users on a particular computer.
  • Enforcing smart card authentication in which you prevent users from logging in with a user name and password on Red Hat Linux computers that have smart card authentication enabled. You can require all users on a computer to use a smart card for logging in or require specific users to use a smart card.
  • Configuring certificate validation in which you specify how to use a Certificate Revocation List (CRL) to check the status of certificates stored on a revocation server
  • Locking the screen if a smart card is removed in which you require that the computer’s screen is locked when a smart card is removed.
  • Enabling a certificate without extended key usage in which you enable a Windows group policy setting to allow using certificates without the EKU attribute for smart-card log in.
  • Configuring applications for smart card access in which you configure applications such as Firefox and Thunderbird that require smart card authentication to gain access to sensitive sites and data.