Product SiteDocumentation Site

3.3. Single Sign-on (SSO)

3.3.1. Introduction

The Fedora SSO functionality reduces the number of times Fedora desktop users have to enter their passwords. Several major applications leverage the same underlying authentication and authorization mechanisms so that users can log in to Fedora from the log-in screen, and then not need to re-enter their passwords. These applications are detailed below.
In addition, users can log in to their machines even when there is no network (offline mode) or where network connectivity is unreliable, for example, wireless access. In the latter case, services will degrade gracefully.

3.3.1.1. Supported Applications

The following applications are currently supported by the unified log-in scheme in Fedora:
  • Login
  • Screensaver
  • Firefox and Thunderbird

3.3.1.2. Supported Authentication Mechanisms

Fedora currently supports the following authentication mechanisms:
  • Kerberos name/password login
  • Smart card/PIN login

3.3.1.3. Supported Smart Cards

Fedora has been tested with the Cyberflex e-gate card and reader, but any card that complies with both Java card 2.1.1 and Global Platform 2.0.1 specifications should operate correctly, as should any reader that is supported by PCSC-lite.
Fedora has also been tested with Common Access Cards (CAC). The supported reader for CAC is the SCM SCR 331 USB Reader.
Gemalto smart cards (Cyberflex Access 64k v2, standard with DER SHA1 value configured as in PKCSI v2.1) are now supported. These smart cards now use readers compliant with Chip/Smart Card Interface Devices (CCID).

3.3.1.4. Advantages of Fedora Single Sign-on

Numerous security mechanisms currently exist that utilize a large number of protocols and credential stores. Examples include SSL, SSH, IPsec, and Kerberos. Fedora SSO aims to unify these schemes to support the requirements listed above. This does not mean replacing Kerberos with X.509v3 certificates, but rather uniting them to reduce the burden on both system users and the administrators who manage them.
To achieve this goal, Fedora:
  • Provides a single, shared instance of the NSS crypto libraries on each operating system.
  • Ships the Certificate System's Enterprise Security Client (ESC) with the base operating system. The ESC application monitors smart card insertion events. If it detects that the user has inserted a smart card that was designed to be used with the Certificate System server product, it displays a user interface instructing the user how to enroll that smart card.
  • Unifies Kerberos and NSS so that users who log in to the operating system using a smart card also obtain a Kerberos credential (which allows them to log in to file servers, etc.)