Quote:
Originally Posted by TB0ne
If you did, then I assume you saw the exact article from Red Hat's own knowledgebase on how to set these things up. You didn't provide context about the number of machines, what you were trying to do, in what environment, or what your needs were. A simple search turned up exactly how to do what you're after on RHEL 8.
Any sort of centralized authentication system is going to require an authentication server.
|
I am currently running two machines that are fully stigged with DISA RHEL 8 checklists, which are 1 AWS EC2 instance and 1 Dell 7770, both of which are running RHEL 8.9. I do have a small Domain Controller running LDAP and AD. I am using MobaXterm and PuTTY as my SSH clients. The idea for the EC2 instances is that once a user would like to sign in with their smartcard or a sysadmin token, the machine would prompt the user for their pin. Same goes for remote access to the Dell 7770, however, when a user is going to be signing into the physical machine, a prompt for a pin would be activated as well.
I have tried utilizing the command ```authselect select sssd with-smartcard with-smartcard-required with-smartcard-lock-on-removal --force``` , however as the command states, any user that was attempting to sign in via username and password will not gain access. Well I wanted exceptions such as letting the users "ec2-user" and "administrator" still sign in via username and password. I attempted this by using config changes to the sshd_config file :
Code:
Match User ec2-user
PasswordAuthentication yes
PubkeyAuthentication yes
This unfortunately did not work. I also did make some progress utilizing the pcsc-tools and ran a ```pcsc_scan``` and received a :
Code:
Using reader plug'n play mechanism
Scanning present readers...
Waiting for the first reader... /
This hangs for some time and then I eventually cancel this command. I tried searching this online and one of the few recommendations was installing coolkey which does not work for me on RHEL 8 , it is not found under any repos and when I install it directly there are multiple errors that populate.
Again, my main goal is to enable smartcard authentication on both of these environments, the easiest way possible and that I can still have an emergency account necessary such as ec2-user or administrator in case for whatever reason the CAC authentication fails for every account.