24.2.3 Configuring Smart Card Authentication

If appropriate hardware is installed and supported, the system can use smart cards to authenticate users. The pam_pkcs11 package provides a PAM login module that enables X.509 certificate-based user authentication. The module uses the Name Service Switch (NSS) to manage and validate PKCS #11 smart cards by using locally stored root CA certificates, online or locally accessible certificate revocation lists (CRLs), and the Online Certificate Status Protocol (OCSP).

To enable smart card authentication:

  1. Install the pam_pkcs11 package:

    # yum install pam_pkcs11
  2. Use the following command to install the root CA certificates in the NSS database:

    # certutil -A -d /etc/pki/nssdb -t "TC,C,C" -n "Root CA certificates" -i CACert.pem

    where CACert.pem is the base-64 format root CA certificate file.

  3. Run the Authentication Configuration GUI:

    # system-config-authentication
  4. On the Advanced Options tab, select the Enable smart card support check box.

  5. If you want to disable all other login authentication methods, select the Require smart card for login check box.

    Caution

    Do not select this option until you have tested that can use a smart card to authenticate with the system.

  6. From the Card removal action menu, select the system's response if a user removes a smart card while logged in to a session:

    Ignore

    The system ignores card removal for the current session.

    Lock

    The system locks the user out of the session .

You can also use the following command to configure smart card authentication:

# authconfig --enablesmartcard --update

To specify the system's response if a user removes a smart card while logged in to a session:

 authconfig --smartcardaction=0|1 --update

Specify a value of 0 to --smartcardaction to lock the system if a card is removed. To ignore card removal, use a value of 1.

Once you have tested that you can use a smart card to authenticate with the system, you can disable all other login authentication methods.

# authconfig --enablerequiresmartcard --update