Below are the steps to use smart card authentication when running privileged commands with dzdo.Note: There are two caveats using this setup.
1. Password authentication can no longer be used with dzdo. If re-authentication is required in the privilege command, it will only prompt for pin.
2. The smart card user will be prompted for their pin twice.On the RHEL based system, as root or root equivalent, please run the following commands:
1.
cd /etc/pam.d2.
cp dzdo dzdo.orig3.
cp smartcard-auth dzdo4. Modify the new
dzdo pam stack and comment out the following 2 lines.
auth [success=4 default=ignore] pam_succeed_if.so debug service notin gdm-smartcard:gnome-screensaver:kscreensaver:xscreensaver use_uid # LINE ADDED BY SCTOOL - PLEASE DO NOT REMOVE
auth [success=ignore default=1] pam_succeed_if.so debug service in gnome-screensaver:kscreensaver:xscreensaver use_uid # LINE ADDED BY SCTOOL - PLEASE DO NOT REMOVE
The new
dzdo pam stack should now look like the below. The lines commented out in step 4, are shown in red.
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
#auth [success=4 default=ignore] pam_succeed_if.so debug service notin gdm-smartcard:gnome-screensaver:kscreensaver:xscreensaver use_uid # LINE ADDED BY SCTOOL - PLEASE DO NOT REMOVE
#auth [success=ignore default=1] pam_succeed_if.so debug service in gnome-screensaver:kscreensaver:xscreensaver use_uid # LINE ADDED BY SCTOOL - PLEASE DO NOT REMOVE
auth [success=ignore default=2] pam_centrifydc.so check_smartcard_user # LINE ADDED BY SCTOOL - PLEASE DO NOT REMOVE
auth [success=ok new_authtok_reqd=ok ignore=ignore authinfo_unavail=1 default=die] pam_centrify_pkcs11.so nodebug wait_for_card # LINE ADDED BY SCTOOL - PLEASE DO NOT REMOVE
auth [success=done ignore=done default=die] pam_centrifydc.so pkinit # LINE ADDED BY SCTOOL - PLEASE DO NOT REMOVE
auth sufficient pam_centrifydc.so try_first_pass # LINE ADDED BY SCTOOL - PLEASE DO NOT REMOVE
auth requisite pam_centrifydc.so deny # LINE ADDED BY SCTOOL - PLEASE DO NOT REMOVE
auth required pam_env.so # LINE ADDED BY SCTOOL - PLEASE DO NOT REMOVE
auth sufficient pam_fprintd.so # LINE ADDED BY SCTOOL - PLEASE DO NOT REMOVE
auth sufficient pam_unix.so nullok try_first_pass # LINE ADDED BY SCTOOL - PLEASE DO NOT REMOVE
auth requisite pam_succeed_if.so uid >= 1000 quiet # LINE ADDED BY SCTOOL - PLEASE DO NOT REMOVE
auth required pam_deny.so # LINE ADDED BY SCTOOL - PLEASE DO NOT REMOVE
account sufficient pam_centrifydc.so # LINE ADDED BY SCTOOL - PLEASE DO NOT REMOVE
account requisite pam_centrifydc.so deny # LINE ADDED BY SCTOOL - PLEASE DO NOT REMOVE
session required pam_centrifydc.so homedir # LINE ADDED BY SCTOOL - PLEASE DO NOT REMOVE
password sufficient pam_centrifydc.so try_first_pass # LINE ADDED BY SCTOOL - PLEASE DO NOT REMOVE
password requisite pam_centrifydc.so deny # LINE ADDED BY SCTOOL - PLEASE DO NOT REMOVE
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account required pam_permit.so
password required pam_pkcs11.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
5. Run a privileged command using
dzdo
[smartcarduser@filesvr06 ~]$ dzdo adreload
Found the Smart card.
Welcome Smart card user!
Smart card PIN:
Enter PIN:
[smartcarduser@filesvr06 ~]$
KB-16493: When smart card is required for login, unable to run privileged commands with dzdo