This tutorial uses Fedora 36. It assumes that you have the ThinLinc server, and a ThinLinc client installed.
ThinLinc Administrator’s Guide about this:
https://www.cendio.com/resources/docs/tag/authentication_scpublickey.html
1. Install the necessary drivers for smart card readers on your client machine, as well as the machine you want to use for step 2-5:
$ sudo dnf install pcsc-lite pcsc-lite-ccid
$ sudo systemctl start pcscd
2. Install OpenSC to get tools for extracting information from the smart cards:
$ sudo dnf install opensc
3. Plug in the smart card reader and insert the card into the reader.
4. List the certificates on your Smart Card to find the ID of the certificate you want to use:
$ pkcs15-tool --list-certificates
5. Use the ID to read the ssh key:
$ pkcs15-tool --read-ssh-key <ID> > my_smartcard.key
6. Make sure that your authorized_keys file has the correct permissions on all your agent and master server(s):
$ sudo mkdir -p /home/<USERNAME>/.ssh
$ sudo chown <USERNAME>:<USERNAME> /home/<USERNAME>/.ssh
$ sudo chmod 700 /home/<USERNAME>/.ssh
$ sudo touch /home/<USERNAME>/.ssh/authorized_keys
$ sudo chown <USERNAME>:<USERNAME> /home/<USERNAME>/.ssh/authorized_keys
$ sudo chmod 600 /home/<USERNAME>/.ssh/authorized_keys
7. Place the ssh key in your user’s home directory on all your agent and master server(s):
$ sudo sh -c 'cat my_smartcard.key >> /home/<USERNAME>/.ssh/authorized_keys'
8. Configure your ThinLinc client to authenticate using smart card:
This is found under client Options → Security → Details. You can now login via smart cards.
Automatically login when inserting a smart card (OPTIONAL)
ThinLinc Administrator’s Guide about this:
https://www.cendio.com/resources/docs/tag/authentication_scpublickey.html#automatic-connection
9. Extract the certificate in DER format from the smart card:
$ pkcs15-tool --read-certificate <ID> | openssl x509 -outform DER > smartcard_cert.der
10. If the DER file was created on another machine, copy this DER file to one of your ThinLinc servers and then connect to the server:
$ scp smartcard_cert.der <ADMINUSER>@<SERVER>:~/
$ ssh <ADMINUSER>@<SERVER>
11. Extract the subject name from the DER file:
$ cat smartcard_cert.der | /opt/thinlinc/libexec/tl-certtool --subject
12. Find the user id for the user you want to login with on your server(s):
$ id -u <USERNAME>
CONTINUE THE FOLLOWING STEPS ON ALL YOUR AGENT AND MASTER SERVER(S).
13. Associate the subject name with the user id in the passwdaliases file on all your agent and master server(s):
$ sudo vim /etc/passwdaliases
It should be in the format : and can look something like this:
# Sample /etc/passwdaliases
# A few invalid lines, for testing
#orange
#banana:
#apple:wrong
# A valid line
#root2:0
# Example of RFC4514 DN - a username derived from a Smart Card certificate
#serialNumber=197703012570,givenName=Peter Alf G\c3\b6ran,sn=\c3\85strand,cn=Peter \c3\85strand,c=SE:4711
organizationalUnitName=temp,cn=Jan Andersson:1000
14. Activate the passwdaliases module in NSS on all your agent and master server(s):
This is done by adding ‘passwdaliases’ to the list of modules for the passwd database.
$ sudo vim /etc/nsswitch.conf
It should look something like this:
passwd: files sss systemd passwdaliases
shadow: files
group: files sss systemd
...
NOTE THAT IF YOU CONTINUE WITH THE FOLLOWING STEP (NR 15) YOU WILL COMPLETELY DISABLE THE ACCOUNT STEP OF PAM FOR SSH CONNECTIONS. EXAMPLE: LOCKED USER CAN STILL LOG IN
15. Disable the ‘account’-step in PAM for sshd:
This is done by adding “account sufficient pam_permit.so” on all your agent and master server(s). Note that this new line needs to be the first account step.
$ sudo vim /etc/pam.d/sshd
It should look something like this:
auth substack password-auth
auth include postlogin
account sufficient pam_permit.so
account required pam_sepermit.so
account required pam_nologin.so
account include password-auth
password include password-auth
...
16. Restart sshd on all your agent and master server(s):
$ sudo systemctl restart sshd
17. Configure your ThinLinc client to login using the subject name on your card:
This is found under client Options → Security → Details (for Smart card).
18. If you want to, you can automatically connect when inserting the card.
Also, you can also disconnect when removing the card. This setting is found in the same place as the one described in step 17.
Note that if your smart card has multiple certificates, the user will have to select a certificate. If you want to, you can add a filter for the certificates. The default filter works for most smart cards. If the filters result in only one certificate is available, the ThinLinc client will be able to connect automatically.
19. You can now log in by simply inserting the smart card (and entering the PIN for the card); you don’t have to specify a username.
