test

Solaris Smartcard Administration Guide

Chapter 1 Solaris Smartcard Overview

This chapter provides an overview of Solaris Smartcard features and provides basic information about installing and using Smartcard. The chapter also provides an overview of setting up a smart card. You can set up a smart card from the Smartcard Console or the command line. The tasks described in this chapter assume that you have identified how to implement smart cards at your site. The tasks also assume that you have set up a card reader on all systems for smart card use.

What's New With Smartcard

The Smartcard service is managed by the Service Management Facility. Administrative actions on this service, such as enabling, disabling, or restarting, can be performed by using the svcadm command. The service's status can be queried by using the svcs command. For more information about the Service Management Facility, refer to the smf(5) man page.

Note –

Before you make any changes to Smartcard, you must make sure that the ocfserv daemon is enabled.

Smartcard Features

A Solaris Smartcard provides a more secure method for logging in to the Solaris desktop environment than is provided by the standard UNIX login. Information that is stored on the smart card verifies the identity of the user during login. A user who cannot provide the login information that is on the smart card is denied access to the desktop. The Solaris Smartcard software does the following:

Smartcard Requirements

To use the Solaris Smartcard software, you need the following:

Note –

For the Solaris 9 release, any card reader for which you have an IFD handler can be used if patch 112926-04 has been installed.

Smartcard Login

Secure desktop environments can be protected by requiring users to log in with a configured Solaris Smartcard. The following sequence explains what happens in the login process:

  1. The dtlogin daemon prompts the user to insert a smart card and then to enter a personal identification number (PIN).

  2. The pam_smartcard module compares the entered PIN with the PIN that is stored on the card.

  3. If the typed PIN and the PIN stored on the card match, the user name and password are read from the card and used to authenticate the user. The authentication is based on the specified search order for passwd in /etc/nsswitch.conf.

Package Descriptions

The following table lists the Solaris Smartcard packages added during a Solaris 10 installation.

Table 1–1 Solaris Smartcard Packages

Package Name 

Description 

SUNWjcom

Java Communications API for smart card support—Java code and Native code 

SUNWjib

Dallas Semiconductor serial iButton OCF Card Terminal Driver  

SUNWocf

Open Card Framework—core libraries and utilities  

SUNWocfr

Open Card Framework—configuration files 

SUNWocfh

Open Card Framework—header files 

SUNWpamsc

Pluggable authentication module (PAM) for smart card authentication 

SUNWscgui

Solaris Smartcard Console 

SUNWscmhdlr

IFD handler for the internal reader 

To remove a package, use the standard pkgrm command. Reinstall the package by using the pkgadd command.

See Chapter 18, Managing Software by Using Package Commands (Tasks), in System Administration Guide: Basic Administration for information about using these commands.

Smartcard Man Pages

Refer to the following man pages for detailed information about Smartcard commands:

Loading the SolarisAuthApplet

You must add the default SolarisAuthApplet applet to the card before you can add the user profile information. See To Load the Smartcard Applet to a Smart Card (Console) for instructions.

Initializing a Smart Card

After the default applet (SolarisAuthApplet) has been loaded, create the user profile information on the card. The user profile information specifies a login name and password for the card user. The user profile also names the protected application. The default PIN for the SolarisAuthApplet is $$$$java.

ProcedureTo Create User Information on a Smart Card (Command Line)

User information includes login name, password, and the application that the card provides access to.

Steps

  1. Insert the card in the card reader.

  2. Verify that the ocfserv daemon is enabled.

    The following command provides the status of the service.


    % svcs network/rpc/ocfserv
    Note –

    Before you make any changes to Smartcard, you must make sure that the ocfserv daemon is enabled.

  3. (Optional) If necessary, as root, enable the ocfserv daemon.


    # svcadm enable network/rpc/ocfserv

  4. Set the login name, password, and application for the card.

    Type the following on one line:


    # smartcard -c init -A A000000062030400 -P '$$$$java' user=me password=xx application=dtlogin

    This command is appropriate for all smart card devices that are supported by Solaris Smartcard.

    In this example, the user name is set to me, the password to xx, and the application is dtlogin. The user name and password can be set to any value. The user name and password can be changed by a system administrator or by the user when the card is issued. See To Set Up a User Profile (Console) for instructions.

    Note –

    You must enter the loaded applet ID and the current PIN. The -A A000000062030400 part of the command specifies the SolarisAuthApplet applet ID. You must enclose the default PIN, $$$$java, or any PIN containing shell special characters—such as $—within single quotes. Otherwise, the shell tries to interpret the PIN as a variable, and the command fails.

See Also

For Smartcard Console instructions, see the following:

Defining Authentication Properties on a Smart Card

You base the property settings of each smart card on the user's requirements, your site's security policies, and the limitations of the type of smart card used. Use the Configure Applets dialog box to define corresponding properties for each smart card. The client and server programs on the system read the properties on the smart card to determine whether to give the user access to a particular application.

Note –

These properties apply only to cards that have been initialized with the SolarisAuthApplet applet provided with Solaris Smartcard. If your site uses a different smart card applet, the available properties might differ. Refer to the smartcard(1M) man page for more information.

PIN Property

The PIN property is an authentication property that defines a personal identification number (PIN) for the card. The default PIN that is created on the card is $$$$java. Either you or the user can change $$$$java to a personalized PIN. Consider giving all users at your site the same default PIN name: changeme, for example. Then make sure each user changes the PIN to a value that is known only to that user.

See To Change the PIN on a Card (Console) for step-by-step instructions on changing the PIN on a smart card.

User and Password Properties

The user and password properties are authentication properties that identify the user and associate the user with the smart card's PIN. To set these properties, you must know the user's login name and password.

On systems that use the default authentication mechanism of PIN, ocfserv verifies the authenticity of the PIN. Next, ocfserv reads the user and password properties on the card. If the password on the smart card matches the user's entry in the system's password database, ocfserv gives the user access to the application.

Application Property

Use the application authentication property to designate which applications the user needs to log in to with a login name and password. The application authentication property is called a “user profile” in the Smartcard Console. For example, to require a smart card login to the desktop, specify dtlogin as the application associated with the login name and password on the card. You can also require a smart card login for an application specific to your site, such as a financial package or a personnel database. To require a smart card login for such an application, specify its name as the application property.

Before initializing an application on the card, find out which applications a user needs to access through smart card authentication. This step is particularly important when preparing a smart card for anyone who needs to log in to an application as root or another restricted login name.

Note –

PayFlex cards do not support multiple profiles. PayFlex cards cannot be used in cases where a user needs to log in to the desktop and to one or more secure applications. PayFlex cards cannot be used with multiple user names.

The application property on the smart card works in tandem with the other authentication properties. For example, suppose you initialized a smart card for user Ed with the following information:

The preceding information would be typed on the command line, as follows:


# smartcard -c init -A A000000062030400 -P '$$$$java' application=dtlogin user=ed password=xx

When Ed inserts his card into the reader and tries to log in to the desktop (dtlogin), ocfserv reads the card to determine whether any authentication properties are associated with dtlogin. The ocfserv server finds that the user and password properties are associated with dtlogin.

The ocfserv server prompts Ed for his PIN. The typed PIN is compared with the PIN that is stored on the smart card that is assigned to the dtlogin application. Also, ocfserv uses the login name and password on Ed's card, along with the passwords in the system's password database, to verify that Ed is who he claims to be. If these properties match, Ed is logged in to the desktop.

Enabling Desktop Login With a Solaris Smartcard

The final step in setting up a desktop system is to enable the use of a Solaris Smartcard for desktop login. See To Enable Smartcard Usage (Command Line) for step-by-step instructions.

You cannot log in through dtlogin if you enable Smartcard and either of the following conditions is true:

If you enable Smartcard before you have set up a working smart-card configuration, you must first disable Smartcard. Do the following to disable Smartcard so that you can set up Smartcard for use:

  1. Log in to the system remotely with the ssh or rlogin command.

  2. Become superuser (root).

  3. Disable smart-card operations.


    # smartcard -c disable

ProcedureTo Enable Smartcard Usage (Command Line)

Use this procedure to enable Solaris Smartcard usage on a system. A user must use an accepted smart card for the system. A user might also need to type a PIN to log in to the system.

Steps

  1. Become superuser on each system to be used in Smartcard operations.

  2. Verify that the ocfserv daemon is enabled.

    The following command provides the status of the service.


    # svcs network/rpc/ocfserv
    Note –

    Before you make any changes to Smartcard, you must make sure that the ocfserv daemon is enabled.

  3. (Optional) If necessary, enable the ocfserv daemon.


    # svcadm enable network/rpc/ocfserv

  4. Stop the desktop.


    # /etc/init.d/dtlogin stop

  5. Enable Solaris Smartcard operations.


    # smartcard -c enable

  6. Restart the desktop.


    # /etc/init.d/dtlogin start
    Note –

    When CDE is configured for Smartcard login, /etc/pam.conf is modified to include pam_smartcard. For example, when smartcard -c enable is executed, the following lines are inserted at the top of the auth stacks for dtlogin and dtsession: 


    dtlogin auth requisite pam_smartcard.so
dtsession auth requisite pam_smartcard.so