To configure smart card redirection on a SLED/SLES virtual machine (VM), install the libraries on which the feature depends and the root CA certificate to support the trusted authentication of smart cards. In addition, you must edit some configuration files to complete the authentication setup.
Some examples in the procedure use placeholder values to represent entities in your network configuration, such as the DNS name of your AD domain. Replace the placeholder values with information specific to your configuration, as described in the following table.
Placeholder Value |
Description |
dns_IP_ADDRESS |
IP address of your DNS name server |
mydomain.com |
DNS name of your AD domain |
MYDOMAIN.COM |
DNS name of your AD domain, in all capital letters |
MYDOMAIN |
DNS name of the workgroup or NT domain that includes your Samba server, in all capital letters |
ads-hostname |
Host name of your AD server |
ads-hostname.mydomain.com |
Fully qualified domain name (FQDN) of your AD server |
mytimeserver.mycompany.com |
DNS name of your NTP time server |
AdminUser |
User name of the VM administrator |
Procedure
- Install the required library packages.
- Install the PAM library and other packages.
# zypper install pam_pkcs11 mozilla-nss mozilla-nss-tools
pcsc-lite pcsc-ccid opensc coolkey pcsc-tools
You may need to enable extensions like PackageHub to install all the above packages
- To use the installed packages, enable extensions like PackageHub and install the PC/SC tools. For example, you can run the following commands for SLED/SLES 12 SP3.
# SUSEConnect --list-extensions
# SUSEConnect -p PackageHub/12.3/x86_64
# zypper in pcsc-tools
- Install a Root Certification Authority (CA) certificate.
- Download a root CA certificate and save it to /tmp/certificate.cer on the system. See How to Export Root Certification Authority Certificate.
- Locate the root CA certificate that you downloaded, transfer it to a .pem file, and create a hash file.
# openssl x509 -inform der -in /tmp/certificate.cer -out /tmp/certificate.pem
# cp /tmp/certificate.pem /etc/pam_pkcs11/cacerts
# chmod a+r /etc/pam_pkcs11/cacerts/certificate.pem
# cd /etc/pam_pkcs11/cacerts
# pkcs11_make_hash_link
- Install trust anchors to the NSS database.
# mkdir /etc/pam_pkcs11/nssdb
# certutil -N -d /etc/pam_pkcs11/nssdb
# certutil -L -d /etc/pam_pkcs11/nssdb
# certutil -A -n rootca -i certificate.pem -t "CT,CT,CT" -d /etc/pam_pkcs11/nssdb
- Install the required drivers.
# cp libcmP11.so /usr/lib64/
# modutil -add "piv card 2.0" -libfile /usr/lib64/libcmP11.so -dbdir /etc/pam_pkcs11/nssdb/
- Edit the /etc/pam_pkcs11/pam_pkcs11.conf file.
- Delete the line use_pkcs11_module = nss. In its place, add the line use_pkcs11_module = mysc.
- Add the mysc module, as shown in the following example.
pkcs11_module mysc {
module = /usr/lib64/libcmP11.so;
description = "MY Smartcard";
slot_num = 0;
nss_dir = /etc/pam_pkcs11/nssdb;
cert_policy = ca, ocsp_on, signature, crl_auto;
}
- Update the Common Name mapper configuration, as shown in the following example.
# Assume common name (CN) to be the login
mapper cn {
debug = false;
module = internal;
# module = /usr/lib64/pam_pkcs11/cn_mapper.so;
ignorecase = true;
mapfile = file:///etc/pam_pkcs11/cn_map;}
- Delete the line use_mappers = ms. In its place, add the line use_mappers = cn, null.
- Edit the /etc/pam_pkcs11/cn_map configuration file so that it includes the following line.
ads-hostname -> ads-hostname
- Modify the PAM configuration.
- To make it possible to configure smart card authentication, first disable the pam_config tool.
# find /etc/pam.d/ -type l -iname "common-*" -delete
# for X in /etc/pam.d/common-*-pc; do cp -ivp $X ${X:0:-3}; done
- Create a file named common-auth-smartcard under the /etc/pam.d/ directory. Add the following content to the file.
auth required pam_env.so
auth sufficient pam_pkcs11.so
auth optional pam_gnome_keyring.so
auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass
auth required pam_winbind.so use_first_pass
- Replace the line auth include common-auth with the line auth include common-auth-smartcard in both of these files: /etc/pam.d/gdm and /etc/pam.d/xscreensaver.
- To configure the pcscd service to start automatically after the VM restarts, edit the appropriate file for your SLED/SLES version.
- (SLED/SLES 12.x) Add the line
rcpcscd start
to /etc/init.d/after.local so that the file resembles the following example. #! /bin/sh
#
# Copyright (c) 2010 SuSE LINUX Products GmbH, Germany. All rights reserved.
#
# Author: Werner Fink, 2010
#
# /etc/init.d/after.local
#
# script with local commands to be executed from init after all scripts
# of a runlevel have been executed.
#
# Here you should add things, that should happen directly after
# runlevel has been reached.
#
rcpcscd start
- (SLED/SLES 15.x) Add the line
WantedBy=multi-user.target
to /usr/lib/systemd/system/pcscd.service so that the file resembles the following example.[Unit]
Description=PC/SC Smart Card Daemon
Requires=pcscd.socket
[Service]
ExecStart=/usr/sbin/pcscd --foreground --auto-exit
ExecReload=/usr/sbin/pcscd --hotplug
[Install]
Also=pcscd.socket
WantedBy=multi-user.target
After editing the
pcscd.service file, run the following command.
systemctl enable pcscd
Note: If the pcscd service does not start after the VM restarts, the first login via pam_pkcs11 fails.
- Disable the firewall.
# rcSuSEfirewall2 stop
# chkconfig SuSEfirewall2_setup off
# chkconfig SuSEfirewall2_init off
Note: Smart card redirection sometimes fails when the firewall is enabled.
- Update the PC/SC Lite library to version 1.8.8.
- For SLED/SLES 12 SP3 or 15.x, use the following sequence of commands. Replace <SUSE-version> with the version number of your distribution, for example
15.2
for SLED/SLES 15 SP2.# SUSEConnect -p sle-sdk/<SUSE-version>/x86_64
# zypper in git autoconf automake libtool flex libudev-devel gcc
# git clone https://salsa.debian.org/rousseau/PCSC.git
# cd PCSC/
# git checkout -b pcsc-1.8.8 1.8.8
# ./bootstrap
# ./configure -program-prefix= --disable-dependency-tracking --prefix=/usr --exec-prefix=/usr
--bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include
--libdir=/usr/lib64 --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/var/lib64
--mandir=/usr/share/man --infodir=/usr/share/info --disable-static --enable-usbdropdir=/usr/lib64/pcsc/drivers
# make
# make install
- For SLES 12 SP5, use the following sequence of commands.
# SUSEConnect -p sle-sdk/12.5/x86_64
# zypper in git-core autoconf automake libtool flex libudev-devel gcc
# git clone https://salsa.debian.org/rousseau/PCSC.git
# cd PCSC/
# git checkout -b pcsc-1.8.8 1.8.8
# ./bootstrap
# ./configure -program-prefix= --disable-dependency-tracking --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib64 --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/var/lib64 --mandir=/usr/share/man --infodir=/usr/share/info --disable-static --enable-usbdropdir=/usr/lib64/pcsc/drivers
# make
# make install
- (SLED/SLES 15.x) To ensure that the smart card greeter functions properly, modify the org.gnome.Shell.desktop file on the VM.
- Open the /usr/share/applications/org.gnome.Shell.desktop file.
- In the file, find and replace
Exec=/usr/bin/gnome-shell
with the following line.
Exec=sh -c "DISPLAY=:${DISPLAY##*:} exec /usr/bin/gnome-shell"
- Save and close the file.
- Install the Horizon Agent package, with smart card redirection enabled.
# sudo ./install_viewagent.sh -m yes
- Restart the VM and log back in.