Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-7159: Smartcard login not working on system that has been hardened

Authentication Service ,  

22 September,16 at 04:27 PM

Applies to:

All Versions of Centrify DirectControl on RHEL and CentOS


Problem:

When prompted to login to a machine configured to use smart cards that has hardening (STIG) scripts applied, the smart card pin prompt does not appear.  The only option is to use username and password.


Cause:

Most hardening (STIG) scripts change the root users umask from the default of 022 to 077.  When 'sctool -e' is run, it updates the file /etc/sysconfig/authconfig which originally has file permissions of 0644.  Because the root account is being used, it sets the file to have permissions of 0600 after it is modified.

Usually in a hardened environment as well, the GDM GUI is set to run with a non-privileged account (non-root).

As the /etc/sysconfig/authconfig file is now set to 0600, the GDM GUI users is unable to read that file and therefore, fails to prompt for a smart card login.


Workaround:

Change the file permissions of the /etc/sysconfig/authconfig file back to 0644 and then the smart card pin prompt should then appear when logging in.

To change the permissions on the /etc/sysconfig/authconfig, run the following command:
chmod 644 /etc/sysconfig/authconfig

Verify the permissions have been changed by running:
ls -al /etc/sysconfig/authconfig

The permissions should like the following:
-rw-r--r--. 1 root root 396 Sep 22 07:55 /etc/sysconfig/authconfig

Related Articles

 articleKB-7555: Unable to login as root after upgrade to Centrify Suite 2016 (CDC 5.3.0) articleKB-6041: How to show current license type in use by adclient articleKB-6040: How to change the license type in use after adclient successful joined to the AD? articleKB-6073: How to join the Linux/Unix Centrify Server to Active Directory with specific Computer Role? articleKB-1617: Troubleshooting smart card issues on Mac systems articleKB-6056: How to report the group policy settings that are in effect for the local computer? articleKB-6038: How to specify the license type to use when joining the server to AD using adjoin? articleKB-4323: Unable to use smartcard on RHEL 6.5 articleKB-15086: Using Smartcards for Text-Based Console Logons