Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-15086: Using Smartcards for Text-Based Console Logons

Authentication Service ,   Smart Card Service ,  

28 June,19 at 10:21 AM

Question: How to enforce smartcard authentication when logging into a console with text-based input?

Assuming the pre-requisite steps for implementing smartcard login have been followed (as per the below guide), then a few modifications to the pam files and SELinux is all that is necessary to make this work. However, this will cause the user to enter their smartcard PIN twice.


To begin setting this up, the following files will need to be edited:

1) /etc/pam.d/smartcard-auth
2) /etc/pam.d/login

To modify these files, please start with the following steps:

1) Boot server to text console login
2) Establish an SSH login to server as root
3) Run the following commands:

[root@host home]# cd /etc/pam.d

[root@host pam.d]# cp smartcard-auth sc-auth

4) Edit the sc-auth file. Comment out the first 2 (auth) lines (flagged as SCTOOL) of pam_succeed_if:

#auth [success=4 default=ignore] debug service notin gdm-smartcard:gnome-screensaver:kscreensaver:xscreensaver use_uid # LINE ADDED BY SCTOOL - PLEASE DO NOT REMOVE
#auth [success=ignore default=1] debug service in gnome-screensaver:kscreensaver:xscreensaver use_uid # LINE ADDED BY SCTOOL - PLEASE DO NOT REMOVE

4a) Next, comment out the line for pam_fprintd

#auth    sufficient    # LINE ADDED BY SCTOOL - PLEASE DO NOT REMOVE

5) Edit /etc/pam.d/login. Comment out the following line:

#auth substack system-auth

5a) Add beneath it, the following line:

auth include sc-auth

6) Set SELinux to Permissive mode. Run the following command:

[root@host pam.d]# setenforce permissive

If SELinux is set to enforcing, the following error may be seen:

User-added image

7) REMINDER: After following the steps listed in this article, the user will get prompted twice for their smartcard PIN. This is expected until we build this solution into a future release.

*Additional notes*

Regarding SSH login using smartcard. Centrify recommends using the open source PUTTY-CAC as it uses public key login. We will consider adopting this tool while the software matures and we resolve the licensing issues.

The configuration steps listed above are only necessary until we build this into a future release.