Enabling Smart Card Removes PAM Entries From pam.conf File (4827207, 4830611)
The smartcard -c enable command updates the pam.conf file incorrectly. The result is that the user is unable to log in with a smart card.
Workaround: In the secadmin role, do the following steps:
-
Before configuring smart card, save the /etc/pam.conf file.
$ cp /etc/pam.conf /etc/pam.conf.orig
-
Configure smart card using the Smart Card Admin GUI. The executable is /usr/dt/bin/sdtsmartcardadmin.
-
Enable smart card with the following command:
$ smartcard -c enable
-
Before logging out, restore the /etc/pam.conf file.
$ cp /etc/pam.conf.orig /etc/pam.conf
-
Add the following lines to the /etc/pam.conf file.
You add lines that contain pam_smartcard for both dtlogin and dtsession. You append 'use_first_pass' to the dtlogin and dtsession lines that contain pam_unix.
Note –The lines in the pam.conf file should not contain continuation characters. For display purposes, the lines below contain continuation (\) characters.
dtlogin auth requisite /usr/lib/security/$ISA/pam_smartcard.so.1 dtlogin auth requisite /usr/lib/security/$ISA/pam_tp_auth.so.1 dtlogin auth requisite /usr/lib/security/$ISA/pam_unix.so.1 \ check_retries use_first_pass … dtsession auth requisite /usr/lib/security/$ISA/pam_smartcard.so.1 dtsession auth required /usr/lib/security/$ISA/pam_unix.so.1 \ use_first_pass
When a patch is released, you can apply the patch to your system. Once the patch is applied, you do not need the workaround.
- © 2010, Oracle Corporation and/or its affiliates