Graphics Agent for Linux Administrators' Guide
This release is in Beta. Beta software is not fully supported, and may be incomplete or unstable. It is not intended for use in production systems. We welcome your feedback on this release! Send feedback to anyware-beta-feedback@hp.com.

Enabling Smart Card Authentication Using Linux Clients

Smart card authentication is supported for Linux Clients running on Ubuntu 22.04 connecting to Linux agents. The following section contains information on system requirements, limitations, agent setup, and client setup.

Info

Only in-session use of smart cards is supported. This means that smart cards are used for authentication after users connect to, and are actively using applications on the host machine.

General Requirements

Component Version
Client
  • Anyware Linux Client installed on Ubuntu 22.04
 25.03+
Agent
  • Graphics Agent for Linux
  • Standard Agent for Linux
 25.03+
Infrastructure (Required for brokered connections only)
  • Connection Manager & Security Gateway 20.07+
  • Leostream broker
  
 

Smart Card Certificate Requirements

The smart card certificate prerequisites are as follows:

  • Key usage is set to digital signature

  • The Subject common name and subject alternative name (other name) are defined

  • Enhanced key usage must include client authentication and/or smart card logon

  • Key length does not exceed 2048 bit

Tested Smart Card Readers

The following smart card readers have been tested:

  • Belkin USB Smart Card Reader (F1DN008U)

  • Identiv SCR3310 USB Contact Smart Card Reader

Tested Smart Card Models

The following smart card models have been tested:

Product Name                      Type of Card Notes
Gemalto TOP DL V2.1 144K FIPS CAC   
IDEMIA Cosmo v8.0 Alternate token  
IDEMIA ID-one 125 V8.0D CAC   
G+D Sm@rtCafe Expert v7.0 CAC   
G+D Sm@rtCafe Expert v7.0 144K DI CAC   
PIVkey C910 PIV   
PIVkey C980 PIV   
PIVkey C990 PIV   
Yubikey 5C Using PIV interface. 
Yubikey 5NFC Using PIV interface. 
Smart card verified and tested in customer environment CoolKey applet For accessing SIPRNet

Note: Testing Smart Card Solutions

Solutions must be validated in user environments first, as environmental differences including network conditions or other components may impact support.

Notes

  • Smart Card authentication is enabled by modifying the pcoip.enable_smart_card directive, as described in Enabling Smartcard Authentication.

  • At present, only simultaneous configuration of a single card and single reader is supported.

  • Smartcard authentication is only supported on Ubuntu 22.04 clients connecting to Linux agents. It is not supported while connecting from Zero Clients to Linux agents.

  • If available, configure the Linux Desktop Environment to use smart cards for lock screen authentication.

Known Limitations

  • Elliptic Curve Cryptography (ECC) Certificates are not supported.

  • Concurrent users cannot log on to agent machines using the same smart card for authentication.

  • Smart cards having multiple certificates allow only one user to log on at a time. Others users must wait until the current users logs off before attempting to log on.

  • Single sign-on is not supported. Users must authenticate twice: once on the client and again on the host machine's lock screen.

  • Session locking upon smart card removal might not work as expected.

  • Session will disconnect when authenticated smart card is removed from the reader.

  • If PCoIP sessions fail, disable SELINUX and re-establish a PCoIP session. If this does not work, contact the HP Support team.

  • If PIN prompts do not work on Linux Desktop Environments of agent machines, use the password to unlock the desktop. Smartcards will be remoted and available to be used in session.

Agent Setup

Note

Some card readers might require their drivers to be installed on the agent machine. Consult with the reader manual to determine whether you need to install the required drivers.

Prerequisites

  • The host machine is domain-joined.
  • If this is a brokered connection, make sure that you installed Leostream broker and Connection Manager.
  • The CA certificates that are used for authenticating smart cards are handy.

Step I: Prepare the Linux Machine

  1. Connecting the machine directly to AD using SSSD. For more information, consult the following topics:

  2. Enable smart card authentication on the Linux machine and configure smart card for lock screen. For more information, consult the following topics:

  3. Install the Leostream agent on the Linux machine. For more information, see the Leostream® Platform Installation Guide.

    Info

    For common errors encountered during Leostream agent configuration, see the Leostream Install Errors article.

Step II: Install and Configure Anyware Agent

  1. Make sure that you downloaded Anyware Agent 25.03 or later to the remote machine.

  2. Install the agent following instructions in Installing the agent

  3. Enable smart card authentication on the agent:

    1. Navigate to /etc/pcoip/.

    2. Open the pcoip-agent.conf file.

    3. Locate the pcoip.enable_smart_card directive.

    4. Set its value to "1".

    5. Save your changes.

    6. Add root CA certificate and the intermediate CA certificates to the agent's trusted certificate store.

      For example:

      cp hp_root_CA.pem /etc/ssl/certs/
cp hp_int_CA.pem /etc/ssl/certs/

    7. Add the following setting to the domain section in the sssd.conf file, available at the following location: /etc/sssd/

      For example:

      [domain/ my.ad.domain.net]
ad_gpo_map_permit = +pcoip-session

    8. Restart the PCoIP Agent service by running the following command:

      systemctl restart pcoip

Client Setup

  1. Make sure that you downloaded Anyware Linux Client version 25.03 or later on the Ubuntu 22.04 client machine.

  2. Configure the client machine to connect to the agent machine. Follow the instructions in the topic "Connecting to an Agent Machine " in the Anyware Linux Client guide.

  3. Plug the smart card reader into the client machine.

  4. Use your smart card to authenticate the session. For a full set of instructions on using smart cards to authenticate PCoIP sessions, consult "Using Smart Card Authentication to Connect to a Session" in the Anyware Linux Client guide.

Configuring Smartcard Removal Behavior

This policy determines the action to be taken when the smart card used to authenticate the session is removed from the card reader, or the card reader is disconnected.

Info

If the smart card removal behavior is not configured, removing the card will disconnect the session.

  1. On the agent machine, navigate to /etc/pcoip/.

  2. Open the pcoip-agent.conf file.

  3. Set the smart_card_removal_behavior directive to configure the smart card removal behavior:

    • To disconnect session on smart card removal (default behavior), set pcoip.smart_card_removal_behavior to "1".

    • To take no action on removal of smart card, set pcoip.smart_card_removal_behavior to "0".

  4. Restart the system.

Disabling Smart Card Support

  1. On the agent machine, navigate to /etc/pcoip/.

  2. Open the pcoip-agent.conf file.

  3. Set the pcoip.enable_smart_card directive to "0".

  4. Save your changes.

  5. Reboot the agent machine.

Troubleshooting Issues

For higher latency networks where the latency between the client and host is higher than 100 milliseconds, authentication using smart cards on lock screen may fail.

This occurs because an SSSD component called p11_child times out before the pin gets validated. To workaround this issue, increase the SSSD p11_child time-out by making these changes in the /etc/sssd/sssd.conf file:

  1. In the [pam] section, increase the p11_child_timeout value to 60 seconds.

  2. Restart SSSD service.

    systemctl restart sssd.service

Reporting Issues

To report issues with this feature, enable additional debugging capabilities before creating a support bundle as below:

  1. On the host machine, uncomment the following line from the /etc/default/pcoip-pcscd-args file: PCSCD_ARGS=–debug

  2. Save your changes.

  3. Reproduce the issue.

  4. Generate support bundle and send it to the HP Anyware support team.

Last updated: Thursday, February 27, 2025