Enabling Desktop Login With a Solaris Smartcard

The final step in setting up a desktop system is to enable the use of a Solaris Smartcard for desktop login. See To Enable Smartcard Usage (Command Line) for step-by-step instructions.

You cannot log in through dtlogin if you enable Smartcard and either of the following conditions is true:

• You do not have a working smart card

• You have not configured a smart card successfully

If you enable Smartcard before you have set up a working smart-card configuration, you must first disable Smartcard. Do the following to disable Smartcard so that you can set up Smartcard for use:

1. Log in to the system remotely with the ssh or rlogin command.

2. Become superuser (root).

3. Disable smart-card operations.

   # smartcard -c disable

To Enable Smartcard Usage (Command Line)

Use this procedure to enable Solaris Smartcard usage on a system. A user must use an accepted smart card for the system. A user might also need to type a PIN to log in to the system.

1. Become superuser on each system to be used in Smartcard operations.
2. Verify that the ocfserv daemon is enabled.

   The following command provides the status of the service.

   # svcs network/rpc/ocfserv

   ---

   Note - Before you make any changes to Smartcard, you must make sure that the ocfserv daemon is enabled.

   ---

3. (Optional) If necessary, enable the ocfserv daemon.

   # svcadm enable network/rpc/ocfserv

4. Stop the desktop.

   # /etc/init.d/dtlogin stop

5. Enable Solaris Smartcard operations.

   # smartcard -c enable

6. Restart the desktop.

   # /etc/init.d/dtlogin start

   ---

   Note - When CDE is configured for Smartcard login, /etc/pam.conf is modified to include pam_smartcard. For example, when smartcard -c enable is executed, the following lines are inserted at the top of the auth stacks for dtlogin and dtsession:

   dtlogin auth requisite pam_smartcard.so
   dtsession auth requisite pam_smartcard.so

   ---