documentation_complete: true


title: 'Enable Smartcards in SSSD'

description: |-
    SSSD should be configured to authenticate access to the system using smart cards.
    To enable smart cards in SSSD, set <tt>pam_cert_auth</tt> to <tt>True</tt> under the
    <tt>[pam]</tt> section in <tt>/etc/sssd/sssd.conf</tt>. For example:
    <pre>[pam]
    pam_cert_auth = True
    </pre>
    {{% if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9"] %}}
    Add or update "pam_sss.so" line in auth section of "/etc/pam.d/system-auth" file to include
    "try_cert_auth" or "require_cert_auth" option, like in the following example:
    <pre>
    /etc/pam.d/system-auth:auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so try_cert_auth
    </pre>
    Also add or update "pam_sss.so" line in auth section of "/etc/pam.d/smartcard-auth" file to
    include the "allow_missing_name" option, like in the following example:
    <pre>/etc/pam.d/smartcard-auth:auth sufficient pam_sss.so allow_missing_name</pre>
    {{% elif product in ["rhel10"] %}}.
    Ensure you are using the sssd authselect profile with the <tt>with-smartcard</tt> feature enabled.
    {{% endif %}}

rationale: |-
    Using an authentication device, such as a CAC or token that is separate from
    the information system, ensures that even if the information system is
    compromised, that compromise will not affect credentials stored on the
    authentication device.
    <br /><br />
    Multi-Factor Authentication (MFA) solutions that require devices separate from
    information systems gaining access include, for example, hardware tokens
    providing time-based or challenge-response authenticators and smart cards
    or similar secure authentication devices issued by an organization or identity provider.

severity: medium

identifiers:
    cce@rhel8: CCE-80909-5
    cce@rhel9: CCE-89155-6
    cce@rhel10: CCE-90275-9
    cce@sle12: CCE-91467-1
    cce@sle15: CCE-85826-6

references:
    pcidss: Req-8.3
    srg: SRG-OS-000375-GPOS-00160,SRG-OS-000105-GPOS-00052,SRG-OS-000106-GPOS-00053,SRG-OS-000107-GPOS-00054,SRG-OS-000108-GPOS-00055
    stigid@ol8: OL08-00-020250

ocil_clause: 'smart cards are not enabled in SSSD'

ocil: |-
    To verify that smart cards are enabled in SSSD, run the following command:
    <pre>$ sudo grep pam_cert_auth /etc/sssd/sssd.conf</pre>
    If configured properly, output should be
    <pre>pam_cert_auth = True</pre>

    {{% if product in ["fedora", "ol8", "ol9"] or 'rhel' in product %}}
    To verify that smart cards are enabled in PAM files, run the following command:
    <pre>$ sudo grep -e "auth.*pam_sss\.so.*\(allow_missing_name\|try_cert_auth\)" /etc/pam.d/smartcard-auth /etc/pam.d/system-auth</pre>
    If configured properly, output should be
    <pre>
    /etc/pam.d/smartcard-auth:auth        sufficient                                   pam_sss.so allow_missing_name
    /etc/pam.d/system-auth:auth        [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so try_cert_auth
    </pre>
    {{% endif %}}

fixtext: |-
    Edit the file "/etc/sssd/sssd.conf" and add or edit the following line:

    pam_cert_auth = True

    {{% if product in ["fedora", "ol8", "ol9"] or 'rhel' in product %}}
    Enable the <tt>with-smartcard</tt> feature using the <tt>authselect</tt> command:
    sudo authselect enable-feature with-smartcard
    sudo authselect apply-changes -b
    {{% endif %}}

srg_requirement: '{{{ full_name }}} must implement smart card logon for multifactor authentication for access to interactive accounts.'