All Versions of Centrify DirectControl on RHEL and CentOSProblem:
When prompted to login to a machine configured to use smart cards that has hardening (STIG) scripts applied, the smart card pin prompt does not appear. The only option is to use username and password.Cause:
Most hardening (STIG) scripts change the root users umask from the default of 022 to 077. When 'sctool -e
' is run, it updates the file /etc/sysconfig/authconfig
which originally has file permissions of 0644. Because the root account is being used, it sets the file to have permissions of 0600 after it is modified.
Usually in a hardened environment as well, the GDM GUI is set to run with a non-privileged account (non-root).
As the /etc/sysconfig/authconfig file is now set to 0600, the GDM GUI users is unable to read that file and therefore, fails to prompt for a smart card login.Workaround:
Change the file permissions of the /etc/sysconfig/authconfig file back to 0644 and then the smart card pin prompt should then appear when logging in.
To change the permissions on the /etc/sysconfig/authconfig, run the following command:
chmod 644 /etc/sysconfig/authconfig
Verify the permissions have been changed by running:
ls -al /etc/sysconfig/authconfig
The permissions should like the following:
-rw-r--r--. 1 root root 396 Sep 22 07:55 /etc/sysconfig/authconfig