https://www.centos.org/docs/5/html/5.1/Deployment_Guide/sso-sc-config.html
Before you can use your smart card to log in to your system and take advantage of the increased security options this technology provides, you need to perform some basic installation and configuration steps. These are described below.
This section provides a high-level view of getting started with your smart card. More detailed information is available in the Red Hat Certificate System Enterprise Security Client Guide.
Log in with your Kerberos name and password
Make sure you have the nss-tools
package loaded.
Download and install your corporate-specific root certificates. Use the following command to install the root CA certificate:
certutil -A -d /etc/pki/nssdb -n "root ca cert" -t "CT,C,C" -i ./ca_cert_in_base64_format.crt
Verify that you have the following RPMs installed on your system: esc, pam_pkcs11, coolkey, ifd-egate, ccid, gdm, authconfig, and authconfig-gtk.
Enable Smart Card Login Support
On the Gnome Title Bar, select System->Administration->Authentication.
Type your machine's root password if necessary.
In the Authentication Configuration dialog, click the Authentication tab.
Select the Enable Smart Card Support check box.
Click the Configure Smart Card... button to display the Smartcard Settings dialog, and specify the required settings:
Require smart card for login — Clear this check box. After you have successfully logged in with the smart card you can select this option to prevent users from logging in without a smart card.
Card Removal Action — This controls what happens when you remove the smart card after you have logged in. The available options are:
Lock — Removing the smart card locks the X screen.
Ignore — Removing the smart card has no effect.
If you need to enable the Online Certificate Status Protocol
(), open the /etc/pam_pkcs11/pam_pkcs11.conf
file, and locate the following line:
enable_ocsp = false;
Change this value to true, as follows:
enable_ocsp = true;
Enroll your smart card
If you are using a CAC card, you also need to perform the following steps:
Change to the root account and create a file called
/etc/pam_pkcs11/cn_map
.
Add the following entry to the cn_map
file:
MY.CAC_CN.123454
->
myloginid
where MY.CAC_CN.123454
is
the Common Name on your CAC and myloginid
is your UNIX login ID.
Logout