The software described in this documentation is either in Extended Support or Sustaining Support. See https://www.oracle.com/us/support/library/enterprise-linux-support-policies-069172.pdf for more information.
Oracle recommends that you upgrade the software described by this documentation as soon as possible.
If appropriate hardware is installed and supported, the system
can use smart cards to authenticate users. The
pam_pkcs11
package provides a PAM login
module that enables X.509 certificate-based user authentication.
The module uses the Name Service Switch (NSS) to manage and
validate PKCS #11 smart cards by using locally stored root CA
certificates, online or locally accessible certificate
revocation lists (CRLs), and the Online Certificate Status
Protocol (OCSP).
To enable smart card authentication:
Install the
pam_pkcs11
package:#
yum install pam_pkcs11
Use the following command to install the root CA certificates in the NSS database:
#
certutil -A -d /etc/pki/nssdb -t "TC,C,C" -n "Root CA certificates" -i
CACert.pem
In the example,
CACert.pem
is the base-64 format root CA certificate file.Run the Authentication Configuration GUI:
#
system-config-authentication
On the Advanced Options tab, select the Enable smart card support check box.
If you want to disable all other login authentication methods, select the Require smart card for login check box.
CautionDo not select this option until you have tested that can use a smart card to authenticate with the system.
From the Card removal action menu, select the system's response if a user removes a smart card while logged in to a session:
- Ignore
The system ignores card removal for the current session.
- Lock
The system locks the user out of the session .
You can also use the following command to configure smart card authentication:
# authconfig --enablesmartcard --update
To specify the system's response if a user removes a smart card while logged in to a session:
authconfig --smartcardaction=0
|1 --update
Specify a value of 0 to --smartcardaction to lock the system if a card is removed. To ignore card removal, use a value of 1.
Once you have tested that you can use a smart card to authenticate with the system, you can disable all other login authentication methods.
# authconfig --enablerequiresmartcard --update