Why and how to use a smart card to log on
Smart cards provide an enhanced level of security for Red Hat Linux computers when users log on to Active Directory domains. If you use a smart card to log on, authentication requires a valid and trusted root certificate or intermediate root certificate that can be validated by a known and trusted certification authority (CA).
Because smart cards rely on a public-private key infrastructure (PKI) to sign and encrypt certificates and validate that the certificates were issued by a trusted certification authority and have not expired or been revoked, authentication using a smart card is more secure than a user name and password.
Configuring a smart card for use on a Red Hat Linux computer that is running the Centrify agent requires that you have already set up a smart card for use in a Windows domain. You do not need to add any smart card infrastructure to the Linux computer, other than a smart card reader and a provisioned smart card.
In a Windows environment, a smart card may be set up either for a single user account or for multiple user accounts. For example, an individual contributor might have access to a single Active Directory account that he uses for all his work. In this case, the card is set up for a single user and the card is linked directly to a UPN. When a user inserts the card to log on, the smart card system looks for the UPN in Active Directory and prompts for a PIN.
Windows 2008 also provides a name-mapping feature that enables configuring a smart card with multiple user accounts. For example, a user might want to log in with a regular account to check mail or perform routine tasks, but log in with an administrator’s account to perform privileged tasks. To set up a card for multiple users, an administrator maps a certificate to each user account on the card. When a user inserts the card to log on, the smart card system prompts the user to select which account to use, and prompts for the card’s PIN.
If you have set up smart card login for Windows clients in a domain, you can use Access Manager to configure smart card login for Red Hat Linux clients joined to the same domain. If you have provisioned a smart card for use on a Windows computer — either for a single user or multiple users — once you configure smart card support for a Linux computer, you can use the same smart card to log in to a Red Hat Linux computer.
Note: Configuring smart card support in Access Manager is nearly the same for a single-user or multi-user card with the exception that for multi-user cards, you must set an extra configuration parameter as explained in Enabling support for multi-user smart cards.
Setting up a single user smart card login for Windows computers requires either:
- Microsoft enterprise root certification authority; see the Microsoft TechNet article: Install an enterprise root certification authority.
- A third party certification authority — see the Microsoft KB article: Guidelines for enabling smart card logon with third-party certification authorities.
Setting up a multi-user smart card login for windows requires mapping the certificate on the card to the users who the card is associated with. See the following Microsoft Technet Blog post: “Mapping One Smart Card to Multiple Accounts” for more information on how to do this.