Red Hat Security: Identity Management and Authentication
- Section Managing Smart Card Authentication
- Guided Exercise: Managing Smart Card Authentication
- Working with Vaults in Identity Management
- Guided Exercise: Working with Vaults in Identity Management
- Implementing Two-factor Authentication
- Guided Exercise: Implementing Two-factor Authentication
- Lab: Configuring Alternative Authentication Services
- Summary
Abstract
| Goal |
Configure and manage smart card authentication, secrets, and single sign-on. |
| Objectives |
|
| Sections |
|
| Lab |
|
Smart cards have been in use for several decades, providing reliable storage for personal data, including identification data, such as certificates and keys. IdM supports the use of smart cards as a Kerberos v5 preauthentication mechanism. This means that users can log on to a machine that is an IdM domain member with a smart card, and automatically receive a Kerberos ticket.
Your smart card and certificate are often managed by a dedicated team, however when testing smart cards you might need to work with certificates in a security database.
PKCS12 is a common certificate format, and the pk12util command can be used import and export certificates from several security databases, such as Name Service Switch (NSS).
The original Kerberos specification had a flaw that allowed attackers to perform offline dictionary attacks against user credentials.
The flaw was mitigated by adding the preauthentication phase.
This requires users to provide the Key Distribution Center (KDC) with some data encrypted with their private key before the Authentication Service (AS) grants a session key for the Ticket Granting Service (TGS).
Many preauthentication (PA) mechanisms exist; a common method is to encrypt the current time stamp. Kerberos includes support for Public Key Cryptography for Initial Authentication in Kerberos (PKINIT), which is specified in RFC4556. This mechanism allows users to authenticate to Kerberos by passing their public key and a signature in the PA data field during the AS request.
In Red Hat Enterprise Linux 7.4 and later, the first IdM server has a domain level of 1 and PKINIT is enabled by default.
Use the ipa pkinit-status command to test whether PKINIT is enabled on your IdM servers:
[user@host ~]$ ipa pkinit-status
----------------
1 server matched
----------------
Server name: idm.lab.example.com
PKINIT status: enabled
----------------------------
Number of entries returned 1
----------------------------The ipa-advise command can save time when you need to configure IdM.
Run the ipa-advise command with no arguments to obtain a list of all available advice.
To configure a client machine to use smart card authentication, run the following commands:
[user@host ~]$ipa-advise \config-client-for-smart-card-auth > ~/client_pkinit.sh[user@host ~]$chmod u+x ~/client_pkinit.sh
Ensure that the krb5-pkinit package is installed, copy the ~/client_pkinit.sh script to the client machine, and then run it with the path to the certificate for the CA that signed the smart card certificates as an argument.
[user@host ~]$rpm -q krb5-pkinit...output omitted... [user@host ~]$~/client_pkinit.sh /etc/pki/Demo-CA.crt...output omitted...
To enable smart card authentication for the IdM web UI, perform the following steps:
[user@host ~]$ipa-advise \config-server-for-smart-card-auth > ~/server_pkinit.sh[user@host ~]$chmod u+x ~/server_pkinit.sh
Ensure that the sssd-dbus package is installed, and then run the script on all IdM servers:
[user@host ~]$rpm -q sssd-dbus...output omitted... [user@host ~]$~/server_pkinit.sh...output omitted...
Web browsers do not have smart card authentication enabled by default. To enable this feature, you must add a security device.
To add a security device, launch Firefox and navigate to → → → → .
Click , and then enter OpenSC for , and /usr/lib64/opensc-pkcs11.so for .
Click , and then .
Now that you have enabled support for smart card authentication, you can log in to the IdM web UI with a smart card.
Navigate to the IdM management URL and click . Enter the PIN to unlock your smart card, select the appropriate certificate, and then click .
References
Further information is available in the Configuring Identity Management for Smart Card Authentication chapter in the Managing Smart Card Authentication guide at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/managing_smart_card_authentication/index#configuring-idm-for-smart-card-auth_managing-smart-card-authentication
