mediumaccess-controlunverified
Enable smart card certificate authentication in SSSD
sssd-smartcard-cert-auth · RHEL ≥ 8 · 1 impl
Description
RHEL 8 must support multifactor (smart card / PIV) authentication for local account access by setting "pam_cert_auth = True" in the [pam] section of /etc/sssd/sssd.conf. This rule is capability-gated to hosts running SSSD; where an approved alternate MFA method is used, the operator treats it as not applicable.
Rationale
Smart card authentication provides a hardware-backed second factor that resists credential theft and replay, strengthening local account access.
Check → Remediate
Checkcommand
if [ ! -f /etc/sssd/sssd.conf ]; then exit 0; fi grep -qiE '^[[:space:]]*pam_cert_auth[[:space:]]*=[[:space:]]*true' /etc/sssd/sssd.conf 2>/dev/null
- expected_exit:
- 0
Remediatemanual
- note:
- In /etc/sssd/sssd.conf set "pam_cert_auth = True" under the [pam] section and configure pam_sss.so for the relevant PAM services, then restart sssd. Requires smart card / PIV infrastructure; verify against your MFA deployment.
Framework references
STIG
V-281324 / RHEL-10-701220V-258122 / RHEL-09-611165V-230372 / RHEL-08-020250
NIST 800-53
IA-2(1)IA-2(2)
#sssd#smartcard#mfa#pki#authentication