How to enforce smartcard authentication when logging into a console with text-based input?
Assuming the pre-requisite steps for implementing smartcard login have been followed (as per the below guide), then a few modifications to the pam files and SELinux is all that is necessary to make this work. However, this will cause the user to enter their smartcard PIN twice.
To begin setting this up, the following files will need to be edited:
To modify these files, please start with the following steps:
1) Boot server to text console login
2) Establish an SSH login to server as root
3) Run the following commands:[root@host home]# cd /etc/pam.d
[root@host pam.d]# cp smartcard-auth sc-auth
4) Edit the sc-auth file. Comment out the first 2 (auth) lines (flagged as SCTOOL) of pam_succeed_if:#auth [success=4 default=ignore] pam_succeed_if.so debug service notin gdm-smartcard:gnome-screensaver:kscreensaver:xscreensaver use_uid # LINE ADDED BY SCTOOL - PLEASE DO NOT REMOVE
#auth [success=ignore default=1] pam_succeed_if.so debug service in gnome-screensaver:kscreensaver:xscreensaver use_uid # LINE ADDED BY SCTOOL - PLEASE DO NOT REMOVE
4a) Next, comment out the line for pam_fprintd#auth sufficient pam_fprintd.so # LINE ADDED BY SCTOOL - PLEASE DO NOT REMOVE
5) Edit /etc/pam.d/login. Comment out the following line:#auth substack system-auth
5a) Add beneath it, the following line:auth include sc-auth
6) Set SELinux to Permissive mode. Run the following command:[root@host pam.d]# setenforce permissive
If SELinux is set to enforcing, the following error may be seen:
7) REMINDER: After following the steps listed in this article, the user will get prompted twice for their smartcard PIN. This is expected until we build this solution into a future release.*Additional notes*
Regarding SSH login using smartcard. Centrify recommends using the open source PUTTY-CAC as it uses public key login. We will consider adopting this tool while the software matures and we resolve the licensing issues.
The configuration steps listed above are only necessary until we build this into a future release.