Smart Card access?

Hey guys. I’m not sure where to post this. I have a computer lab in our shop with about 20 people accesing 5 terminals. Several of the users are older computer illiterate type. Due to the way i control user access and file storage, the users have to log on and log off of thier own accounts. Sounds easy right? You wouldn’t imagine the amount of trouble i have with people logging out of the pc. I would really like to get back to a hardware solution, and since i was in the military i beleive smart cards are a good option. Especially since i can also use them to time clocks, door access, and ID, and a certificate storage medium for secure emails.

BUT HOW? Ive Googled and researched and basically all ive been able to find is some expensive overkill software and companies that charge alot of money. Is there a easy open source way to get this done? If not…any chance you could dumb down the parts and demystify the topic a little bit? It appears there are alot of moving parts i just don’t understand. Thanks for reading. Appreciate any help you can provide.

Look into Yubikeys. Are you dealing with Windows machines?

1 Like

That’s the problem expensive software solutions and often no support for Linux systems.
I have a cherry chip reader but it all but useless for anything applicable without an exorbitant eula.

I also have a pongee mag stripe reader
Again no really good inexpensive solutions.
An easier solution would be barcode access cards.
You may be able to actually barode your password and scan it.

Im looking for ID cards with NFC and chips, Not usb dongles. But thanks for the suggestion

If you are dealing with Linux machines, “PAM smartcard” would be the search term to start your research with.

PAM is a program?/specification? for implementing login authentication methods on Linux, so a potential opensource project like you describe would probably implement PAM on Linux (maybe the BSDs as well, I think some of them also use PAM).

windows machines. at least they are on an active directory though. seems to be one of the requirements to make this work. thanks for the PAM info.

Do you have admin access to AD? Can you make GPOs? You’re most likely going to need to edit these users AD account to put in the SmartCards UPN. Then you’ll need to make a GPO forcing them to log in via SmartCard. Then you’ll need a GPO that makes it where when the SmartCard is removed, it locks the desktop. You’ll most likely need to add the SmartCard root CA into the machines trusted root store.

I would suggest googling for “CAC AD Setup” or similar, there should be some guides out there helping DoD folks setup SmartCard auth via CACs that should translate pretty close to what you want to do.

@xradeon I do have admin access, and with whatever I dont understand how to implement, i have a third party computer service company to help out with. But even they have never done this before and dont really know what to do. They actually maintain our computer infrastructure, but at my instruction. The GPO stuff is all pretty simple for me. I have done that before with other login styles (like custom logins and login messages) so im familiar.

I actually started my search with CAC search in google. Basically what i found was that it was not a straight forward, “built into windows” thing. So Im just trying to understand all the pieces that make it work. I assume there is a CA, and program on the Server that checks the users credentials, and a program on the client that sends the credentials to the AD server. I know thats a very broad overview but thats the limit of my understanding.

Trying to sort through the multitude of different software providers whitepapers and methods for accomplishing this, doesnt seem straightforward. In other words… im just lost.

1 Like

Have you read through the ms doc on the scardsvr service?

There is aot you can do with just windows and AD. But it takes some work. Most of the expensive applications are just a front end for all the windows smart card features.

More here
https://docs.microsoft.com/en-us/windows/security/identity-protection/smart-cards/
smart-card-how-smart-card-sign-in-works-in-windows

1 Like

Im not sure how I missed that page in all my reading. I did dig into this a little more last night and found it dumbed down a little bit. Ill keep reading and see if I can make more sense of this. It looks like Revocation lists are going to be the hardest part.

pretty much everything that needs kept track of can be integrated back into AD. Hopefully your computers have TPM built in. if so you can even fully bitlocker the drive and have the keys managed by AD, this additional step makes the devices physically sucure as well as allowing easy logons via physical device. with the virtual card configuration it is even possible to use a certificate on a generic thumb drive for this. (though, i would not do it that way)

@Zedicus thats actually what we are tryin to get. We are planning on replacing all of our non-engineering workstation with thin client / tpm setups similar to what a hospital uses. I cant really comment on this too much but we have some DOD requirements to meet. I auditor made specific note of the unmanned, but logged in computer stations. We are a small time company, so we dont really have the resources to pay 100k to get this done, thats why im trying to figure it out my self. Im pretty good with servers, but this AD stuff is a curve ball for me.

well hopefully you are a good swimmer, this is a deep project to ‘learn AD’ with. Active Directory is NOT just users and computers. for AD to work, and to work for you with Smartcards and group policy, you will need to make sure all of the parts of AD are working correctly.

Active Directory short list:
DHCP/DNS
Certificate auth/Radius
WELL DESIGNED Group Policy

then it is just following each guide in order to configure all the smart card stuff. you should do the Bitlocker on AD implementation BEFORE doing the smart card stuff. And you should have 2 domain controllers at least. NOT on the same VM host cluster.