Setting Up a Smart Card
This chapter provides an overview of setting up a smart card. You can set up a smart card from the Smartcard Console or the command line. The tasks in this chapter assume that you have identified how you will implement smart cards at your site and that you have set up a card reader on all systems that will use smart cards. The following subjects are included:
Loading the SolarisAuthApplet
You must add the default SolarisAuthApplet applet to the card before you can add the user profile information. See "To Load the Smartcard Applet to a Smart Card" for instructions.
Initializing a Smart Card
After the default applet (SolarisAuthApplet) has been loaded, create the user profile information on the card. The user profile information specifies a login name and password for the card user, and names the protected application. The default PIN for the SolarisAuthApplet is $$$$java.
To Create User Information on a Smart Card
Example--Creating User Information on a Smart Card (Command Line)
This command is appropriate for all smart cards devices supported by Solaris Smartcard. Insert the card in the card reader. For Smartcard Console instructions, see "To Set Up a User Profile" and "To Change the PIN on a Card".
Set the login name, password, and application for the card by typing the following on one line:
# smartcard -c init -A A000000062030400 -P '$$$$java' user=anyone password=changeme application=dtlogin |
In the example, the username is set to anyone, the password to changeme, and the application is dtlogin. The username and password can be set to any value; these will be changed by a system administrator or the user when the card is issued. See "To Set Up a User Profile" for instructions.
Note - You must enter the loaded applet ID and the current PIN. The -A A000000062030400 part of the command specifies the SolarisAuthApplet applet ID. You must enclose the default PIN, $$$$java, or any PIN containing shell special-characters (such as $) within single quotes. Otherwise, the shell tries to interpret the PIN as a variable, and the command fails.
Defining Authentication Properties on a Smart Card
You set the properties on each smart card based on the user's requirements, your site's security policies, and the limitations of the type of smart card used. Using the Configure Applets dialog box, define corresponding properties for each smart card. The client and server programs on the system read the properties on the smart card to determine whether to give the user access to a particular application.
Note - These properties apply only to cards initialized with the SolarisAuthApplet applet provided with Solaris Smartcard. If your site uses a different smart card applet, the available properties might differ. Refer to the smartcard(1M) man page for more information.
PIN Property
The PIN property is an authentication property that defines a personal identification number (PIN) for the card. The default PIN created on the card is $$$$java. Either you or the user can change $$$$java to a personalized PIN. Consider giving all users at your site the same default PIN name (for example, changeme). Then make sure each user changes the PIN to a value known only to that user.
See "To Change the PIN on a Card" for step-by-step instructions on changing the PIN on a smart card.
User and Password Properties
The user and password properties are authentication properties that identify the user and associate the user with the smart card's PIN. To set these properties, you must know the user's login name and password.
On systems using the default authentication mechanism of PIN, ocfserv verifies the authenticity of the PIN. Next, ocfserv reads the user and password properties on the card. If the password on the smart card matches the user's entry in the system's password database, ocfserv gives the user access to the application.
Application Property
Use the application authentication property (called a "user profile" in the Smartcard Console) to designate which applications the user needs to log in to with a login name and password. For example, to require a smart card login to the desktop, you must specify dtlogin as the application associated with the login name and password on the card. You can also require a smart card login for an application specific to your site, such as a financial package or personnel database, by specifying its name as the application property.
Before initializing an application on the card, find out which applications a user needs to access through smart card authentication. This step is particularly important when preparing a smart card for a system administrator or other user who might need to log in to an application as root or another restricted login name.
Note - Payflex cards do not support multiple profiles; they cannot be used in cases where a user needs to log in to the desktop and one or more secure applications or uses multiple user names.
The application property on the smart card works in tandem with the other authentication properties. For example, suppose you initialized a smart card for user Frank with the following information:
A000000062030400 - The SolarisAuthApplet applet.
'$$$$java' - The default PIN for this card, which user Frank can change later.
dtlogin - The application requiring the smart card login.
frank - The name that Frank must provide to log in to the desktop.
changeme - The password that Frank must type to log in to the desktop.
The preceding information would be entered on the command line, as follows:
# smartcard -c init -A A000000062030400 -P '$$$$java' application=dtlogin user=frank password=changeme |
When Frank inserts his card into the reader and tries to log in to the desktop (dtlogin), ocfserv reads the card to determine whether any authentication properties are associated with dtlogin. The ocfserv server finds that the user and password properties are associated with dtlogin.
The ocfserv server prompts Frank for his PIN, and the typed PIN is compared with the PIN stored on the smart card assigned to the dtlogin application. Also, ocfserv uses the login name and password on Frank's card, along with the passwords in the system's password database, to verify that Frank is who he claims to be. If these properties match, Frank is logged in to the desktop.
Enabling Solaris Smartcard Desktop Login
The final step in setting up a desktop system is to enable desktop login using Solaris Smartcard. See "To Enable Smartcard Usage (Command Line)" for step-by-step instructions.
You cannot log in through dtlogin if you enable Smartcard and either of the following conditions is true:
You do not have a working smart card, or
You have not configured a smart card successfully
If you enable Smartcard before you have set up a working smart card configuration, do the following to disable Smartcard so that you can set up Smartcard for use:
Log in in to the system remotely with the ssh or rlogin command.
Become superuser (root).
Disable smart card operations.
# smartcard -c disable
To Enable Smartcard Usage (Command Line)
Do the following to enable Solaris Smartcard usage on a system. A user must use an accepted smart card for the system and might need to type a PIN to successfully log in to this system after the desktop is enabled for Smartcard.
Become superuser on each system to be used in Smartcard operations.
Stop the desktop.
# /etc/init.d/dtlogin stop
Turn on Solaris Smartcard operations.
# smartcard -c enable
Restart the desktop.
# /etc/init.d/dtlogin start
Note - When CDE is configured for Smartcard login, /etc/pam.conf is modified to include pam_smartcard. For example, when smartcard -c enable is executed, the following lines are inserted at the top of the auth stacks for dtlogin and dtsession:
dtlogin auth requisite pam_smartcard.so dtsession auth requisite pam_smartcard.so