Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-16492: Setting up dzdo to use smart card authentication

Authentication Service ,   Smart Card Service ,  

28 June,19 at 03:14 PM

Below are the steps to use smart card authentication when running privileged commands with dzdo.

Note:  There are two caveats using this setup.
    1. Password authentication can no longer be used with dzdo. If re-authentication is required in the privilege command, it will only prompt for pin.
    2. The smart card user will be prompted for their pin twice.


On the RHEL based system, as root or root equivalent, please run the following commands:

1. cd /etc/pam.d

2. cp dzdo dzdo.orig

3. cp smartcard-auth dzdo

4. Modify the new dzdo pam stack and comment out the following 2 lines.
 
auth    [success=4 default=ignore]      pam_succeed_if.so       debug service notin gdm-smartcard:gnome-screensaver:kscreensaver:xscreensaver use_uid     # LINE ADDED BY SCTOOL - PLEASE DO NOT REMOVE
auth    [success=ignore default=1]      pam_succeed_if.so       debug service in gnome-screensaver:kscreensaver:xscreensaver use_uid    # LINE ADDED BY SCTOOL - PLEASE DO NOT REMOVE

The new dzdo pam stack should now look like the below. The lines commented out in step 4, are shown in red.
 
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
#auth    [success=4 default=ignore]    pam_succeed_if.so    debug service notin gdm-smartcard:gnome-screensaver:kscreensaver:xscreensaver use_uid     # LINE ADDED BY SCTOOL - PLEASE DO NOT REMOVE
#auth    [success=ignore default=1]    pam_succeed_if.so    debug service in gnome-screensaver:kscreensaver:xscreensaver use_uid     # LINE ADDED BY SCTOOL - PLEASE DO NOT REMOVE

auth    [success=ignore default=2]    pam_centrifydc.so    check_smartcard_user     # LINE ADDED BY SCTOOL - PLEASE DO NOT REMOVE
auth    [success=ok new_authtok_reqd=ok ignore=ignore authinfo_unavail=1 default=die]    pam_centrify_pkcs11.so    nodebug wait_for_card     # LINE ADDED BY SCTOOL - PLEASE DO NOT REMOVE
auth    [success=done ignore=done default=die]    pam_centrifydc.so    pkinit # LINE ADDED BY SCTOOL - PLEASE DO NOT REMOVE
auth    sufficient    pam_centrifydc.so    try_first_pass     # LINE ADDED BY SCTOOL - PLEASE DO NOT REMOVE
auth    requisite    pam_centrifydc.so    deny     # LINE ADDED BY SCTOOL - PLEASE DO NOT REMOVE
auth    required    pam_env.so        # LINE ADDED BY SCTOOL - PLEASE DO NOT REMOVE
auth    sufficient    pam_fprintd.so        # LINE ADDED BY SCTOOL - PLEASE DO NOT REMOVE
auth    sufficient    pam_unix.so    nullok try_first_pass     # LINE ADDED BY SCTOOL - PLEASE DO NOT REMOVE
auth    requisite    pam_succeed_if.so    uid >= 1000 quiet     # LINE ADDED BY SCTOOL - PLEASE DO NOT REMOVE
auth    required    pam_deny.so        # LINE ADDED BY SCTOOL - PLEASE DO NOT REMOVE
account    sufficient    pam_centrifydc.so        # LINE ADDED BY SCTOOL - PLEASE DO NOT REMOVE
account    requisite    pam_centrifydc.so    deny     # LINE ADDED BY SCTOOL - PLEASE DO NOT REMOVE
session    required    pam_centrifydc.so    homedir     # LINE ADDED BY SCTOOL - PLEASE DO NOT REMOVE
password    sufficient    pam_centrifydc.so    try_first_pass     # LINE ADDED BY SCTOOL - PLEASE DO NOT REMOVE
password    requisite    pam_centrifydc.so    deny     # LINE ADDED BY SCTOOL - PLEASE DO NOT REMOVE

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     required      pam_permit.so

password    required      pam_pkcs11.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     optional      pam_oddjob_mkhomedir.so umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so


5. Run a privileged command using dzdo
 
[smartcarduser@filesvr06 ~]$ dzdo adreload
Found the Smart card.
Welcome Smart card user!
Smart card PIN:
Enter PIN:
[smartcarduser@filesvr06 ~]$

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.