Hello all,

I am attempting to enable smartcard authentication on a RHEL 8.9 headless server. Most information I have found on this topic either deals with Debian based machines and this machine does have a GUI installed, however, I will be connecting remotely. Please let me know where I may be able to find steps on this installation process, or if you do know the steps, please share them! Thank you very much!!

Did you try putting "smartcard authentication on rhel 8" into a search engine???
https://access.redhat.com/documentat...0your%20system.

..or contacting Red Hat support???

Of course I did but most articles I saw revolved around setting up an Identity Manager and I thought this would be a bit overkill as there are only a small number of machines requiring this feature. Configuring another server to utilize one function didn't really make sense to me. Now, if this is the only way to go and there are no alternatives then I'm left with no other option but to configure based off these articles.

If you did, then I assume you saw the exact article from Red Hat's own knowledgebase on how to set these things up. You didn't provide context about the number of machines, what you were trying to do, in what environment, or what your needs were. A simple search turned up exactly how to do what you're after on RHEL 8.

Any sort of centralized authentication system is going to require an authentication server.

I am currently running two machines that are fully stigged with DISA RHEL 8 checklists, which are 1 AWS EC2 instance and 1 Dell 7770, both of which are running RHEL 8.9. I do have a small Domain Controller running LDAP and AD. I am using MobaXterm and PuTTY as my SSH clients. The idea for the EC2 instances is that once a user would like to sign in with their smartcard or a sysadmin token, the machine would prompt the user for their pin. Same goes for remote access to the Dell 7770, however, when a user is going to be signing into the physical machine, a prompt for a pin would be activated as well.

I have tried utilizing the command ```authselect select sssd with-smartcard with-smartcard-required with-smartcard-lock-on-removal --force``` , however as the command states, any user that was attempting to sign in via username and password will not gain access. Well I wanted exceptions such as letting the users "ec2-user" and "administrator" still sign in via username and password. I attempted this by using config changes to the sshd_config file :

This unfortunately did not work. I also did make some progress utilizing the pcsc-tools and ran a ```pcsc_scan``` and received a :



This hangs for some time and then I eventually cancel this command. I tried searching this online and one of the few recommendations was installing coolkey which does not work for me on RHEL 8 , it is not found under any repos and when I install it directly there are multiple errors that populate.

Again, my main goal is to enable smartcard authentication on both of these environments, the easiest way possible and that I can still have an emergency account necessary such as ec2-user or administrator in case for whatever reason the CAC authentication fails for every account.