The smartcard -c enable command updates the pam.conf file incorrectly. The result is that the user is unable to log in with a smart card.
Workaround: In the secadmin role, do the following steps:
Before configuring smart card, save the /etc/pam.conf file.
$ cp /etc/pam.conf /etc/pam.conf.orig |
Configure smart card using the Smart Card Admin GUI. The executable is /usr/dt/bin/sdtsmartcardadmin.
Enable smart card with the following command:
$ smartcard -c enable |
Before logging out, restore the /etc/pam.conf file.
$ cp /etc/pam.conf.orig /etc/pam.conf |
Add the following lines to the /etc/pam.conf file.
You add lines that contain pam_smartcard for both dtlogin and dtsession. You append 'use_first_pass' to the dtlogin and dtsession lines that contain pam_unix.
The lines in the pam.conf file should not contain continuation characters. For display purposes, the lines below contain continuation (\) characters.
dtlogin auth requisite /usr/lib/security/$ISA/pam_smartcard.so.1 dtlogin auth requisite /usr/lib/security/$ISA/pam_tp_auth.so.1 dtlogin auth requisite /usr/lib/security/$ISA/pam_unix.so.1 \ check_retries use_first_pass … dtsession auth requisite /usr/lib/security/$ISA/pam_smartcard.so.1 dtsession auth required /usr/lib/security/$ISA/pam_unix.so.1 \ use_first_pass |
When a patch is released, you can apply the patch to your system. Once the patch is applied, you do not need the workaround.