← Rules Catalog
mediumaccess-controlunverified

Enable smart card certificate authentication in SSSD

sssd-smartcard-cert-auth · RHEL ≥ 8 · 1 impl

Description

RHEL 8 must support multifactor (smart card / PIV) authentication for local account access by setting "pam_cert_auth = True" in the [pam] section of /etc/sssd/sssd.conf. This rule is capability-gated to hosts running SSSD; where an approved alternate MFA method is used, the operator treats it as not applicable.

Rationale

Smart card authentication provides a hardware-backed second factor that resists credential theft and replay, strengthening local account access.

Check → Remediate

Checkcommand
if [ ! -f /etc/sssd/sssd.conf ]; then exit 0; fi
grep -qiE '^[[:space:]]*pam_cert_auth[[:space:]]*=[[:space:]]*true' /etc/sssd/sssd.conf 2>/dev/null
expected_exit:
0
Remediatemanual
note:
In /etc/sssd/sssd.conf set "pam_cert_auth = True" under the [pam] section and configure pam_sss.so for the relevant PAM services, then restart sssd. Requires smart card / PIV infrastructure; verify against your MFA deployment.

Framework references

STIG

V-281324 / RHEL-10-701220V-258122 / RHEL-09-611165V-230372 / RHEL-08-020250

NIST 800-53

IA-2(1)IA-2(2)
#sssd#smartcard#mfa#pki#authentication