Pass-through authentication by using smart cards

Users can use a smart card connected to the client device for authentication when logging on to a Linux virtual desktop session. This feature is implemented through smart card redirection over the ICA smart card virtual channel. Users can also use the smart card within the session. Use cases include adding a digital signature to a document, encrypting or decrypting an email, or authenticating to a website that requires smart card authentication.

The Linux VDA uses the same configuration as the Windows VDA for this feature. For more information, see the following Configure the smart card environment section.

The availability of pass-through authentication by using smart cards is contingent on the following conditions:

  • The Linux VDA is installed on RHEL 7.7/CentOS 7.7 or RHEL 8.1/CentOS 8.1.
  • Smart cards supported by OpenSC are used.
  • Citrix Workspace app for Windows is used.


Smart card authentication to Citrix Gateway is not officially supported.

Smart card support on RHEL 8.1/CentOS 8.1

Smart card authentication depends on the pam_krb5 module, which is deprecated on RHEL 8.1/CentOS 8.1. To use smart card authentication on RHEL 8.1/CentOS 8.1, build the pam_krb5 module as follows:

  1. Download the pam_krb5-2.4.8-6 source code from

  1. Build and install the pam_krb5 module on RHEL 8.1/CentOS 8.1.

    yum install -y opensc pcsc-lite pcsc-lite-libs pcsc-lite-ccid nss-tools
    yum install gcc krb5-devel pam-devel autoconf libtool
    rpm2cpio pam_krb5-2.4.8-6.el7.src.rpm | cpio –div
    tar xvzf pam_krb5-2.4.8.tar.gz
    cd pam_krb5-2.4.8
    ./configure --prefix=/usr
    make install
  2. Verify that exists under /usr/lib64/security/.

    ls -l /usr/lib64/security | grep pam_krb5

Install the Linux VDA software on RHEL 7.7/CentOS 7.7, RHEL 8.1/CentOS 8.1

Install the Linux VDA software using the RPM package manager or easy install, see the Installation overview section.

After the VDA installation is complete, verify that the VDA can register to the Delivery Controller and the published Linux desktop sessions can be launched successfully using password authentication.

Ensure that OpenSC supports your smart card

OpenSC is a widely used smart card driver on RHEL 7.4+. As a fully compatible replacement of CoolKey,OpenSC supports many types of smart cards (see Smart Card Support in Red Hat Enterprise Linux).

In this article, the Yubikey 4 smart card is used as an example to illustrate the configuration. Yubikey 4 is an all-in-one USB CCID PIV device that can easily be purchased from Amazon or other retail vendors. The OpenSC driver supports Yubikey 4.

image of yubikey4

If your organization requires some other more advanced smart card, prepare a physical machine with RHEL 7.7/CentOS 7.7 or RHEL 8.1/CentOS 8.1 and the OpenSC package installed. For information about the OpenSC installation, see Install the smart card driver. Insert your smart card, and run the following command to verify that OpenSC supports your smart card:

pkcs11-tool --module --list-slots


Prepare a root certificate

A root certificate is used to verify the certificate on the smart card. Do the following to download and install a root certificate.

  1. Obtain a root certificate in PEM format, typically from your CA server.

    You can run a command similar to the following to convert a DER file (*.crt, *.cer, *.der) to PEM. In the following command example, certnew.cer is a DER file.

    openssl x509 -inform der -in certnew.cer -out certnew.pem
  2. Install the root certificate to the openssl directory. The certnew.pem file is used as an example.

    cp certnew.pem /etc/pki/CA/certs/

Configure the NSS database

The Linux VDA logon module relies on the NSS database to access smart cards and certificates. Do the following to configure the NSS database.

  1. Add the previously mentioned root certificate to the NSS database.

    certutil -A -n "My Corp Root" -t "CT,C,C" -a -d /etc/pki/nssdb -i  /etc/pki/CA/certs/certnew.pem
  2. Run the following command to verify that the root certificate is added to the NSS database successfully.

    certutil -L -d /etc/pki/nssdb
  3. Check whether OpenSC is installed in the NSS PKCS#11 library.

    modutil -list -dbdir /etc/pki/nssdb

    If the OpenSC module is not installed, run the following command to install the module manually, and then check the installation again.

    modutil -add "OpenSC PKCS #11 Module" -libfile -dbdir /etc/pki/nssdb
  4. Configure the pam_pkcs11 module.

    The pam_pkcs11 module relies on the local VDA configuration to verify user certificates. The default root certificate used by pam_pkcs11 is located at /etc/pam_pkcs11/cacerts/. Each root certificate in this path has a hash link. Run the following commands to install the prepared root certificate and to configure pam_pkcs11.

    yum install pam_pkcs11
    mkdir /etc/pam_pkcs11/cacerts/
    cp certnew.pem /etc/pam_pkcs11/cacerts/
    cacertdir_rehash /etc/pam_pkcs11/cacerts

Configure the smart card environment

You can use the script to configure the smart card environment or do the configuration manually.

  • Use the script to configure the smart card environment


    The script adds PKINIT information to the default realm. You can change this setting through the /etc/krb5.conf configuration file.

    Before using smart cards for the first time, run the script to configure the smart card environment.

     sudo /opt/Citrix/VDA/sbin/

    The results resemble the following:

    image of running script to enable

    To disable smart cards:

     sudo /opt/Citrix/VDA/sbin/

    The results resemble the following:

    image of running script to disable

  • Manually configure the smart card environment

    The Linux VDA uses the same smart card environment with the Windows VDA. In the environment, multiple components must be configured, including the Domain Controller, Microsoft Certificate Authority (CA), Internet Information Services, Citrix StoreFront, and Citrix Workspace app. For information about the configuration based on the Yubikey 4 smart card, see Knowledge Center article CTX206156.

    Before proceeding to the next step, ensure that all components are correctly configured, the private key and user certificate are downloaded to the smart card, and you can successfully log on to the Windows VDA using the smart card.

Install the PC/SC Lite packages

PCSC Lite is an implementation of the Personal Computer/Smart Card (PC/SC) specification in Linux. It provides a Windows smart card interface for communicating to smart cards and readers. Smart card redirection in the Linux VDA is implemented on the PC/SC level.

Run the following command to install the PC/SC Lite packages.

yum install pcsc-lite pcsc-lite-ccid pcsc-lite-libs

Install the smart card driver

OpenSC is a widely used smart card driver on RHEL. If OpenSC is not installed, run the following command to install it.

yum install opensc

Install the PAM modules for smart card authentication

Run the following command to install the pam_krb5 and krb5-pkinit modules.

RHEL 7.7/CentOS 7.7:

yum install pam_krb5 krb5-pkinit

RHEL 8.1/CentOS 8.1:

yum install krb5-pkinit

The pam_krb5 module is a pluggable authentication module that PAM-aware applications can use to check passwords and obtain ticket-granting tickets from the Key Distribution Center (KDC). The krb5-pkinit module contains the PKINIT plug-in that allows clients to obtain initial credentials from the KDC using a private key and a certificate.

Configure the pam_krb5 module

The pam_krb5 module interacts with the KDC to get Kerberos tickets using certificates in the smart card. To enable pam_krb5 authentication in PAM, run the following command:

authconfig --enablekrb5 --update

In the /etc/krb5.conf configuration file, add PKINIT information according to the actual realm.


The pkinit_cert_match option specifies matching rules that the client certificate must match before it is used to attempt PKINIT authentication. The syntax of the matching rules is:

[relation-operator] component-rule …

where relation-operator can be either &&, meaning all component rules must match, or ||, meaning only one component rule must match.

Here is an example of a generic krb5.conf file:



    auth_to_local = RULE:[1:$1@$0]

    pkinit_anchors = FILE:/etc/pki/CA/certs/certnew.pem

    pkinit_kdc_hostname = KDC.EXAMPLE.COM

    pkinit_cert_match = ||<EKU>msScLogin,<KU>digitalSignature

    pkinit_eku_checking = kpServerAuth


The configuration file resembles the following after you add the PKINIT information.

image of added pkinit information

Configure PAM authentication

PAM configuration files tell what modules are used for PAM authentication. To add pam_krb5 as an authentication module, add the following line to the /etc/pam.d/smartcard-auth file:

auth [success=done ignore=ignore default=die] preauth_options=X509_user_identity=PKCS11:/usr/lib64/pkcs11/

The configuration file resembles the following after modification if Winbind is used.

image of modified configurarion file if winbind is used

(Optional) Single sign-on by using smart cards

Single sign-on (SSO) is a Citrix feature that implements pass-through authentication with virtual desktop and application launches. This feature reduces the number of times that users type their PIN. To use SSO with the Linux VDA, configure Citrix Workspace app. The configuration is the same with the Windows VDA. For more information, see Knowledge Center article CTX133982.

Enable the smart card authentication as follows when configuring the group policy in Citrix Workspace app.

image of enabling smart card authentication in workspace app

Fast smart card logon

Fast smart card is an improvement over the existing HDX PC/SC-based smart card redirection. It improves performance when smart cards are used in high-latency WAN environments. For more information, see Smart cards.

The Linux VDA supports fast smart card on the following versions of Citrix Workspace app:

  • Citrix Receiver for Windows 4.12
  • Citrix Workspace app 1808 for Windows and later

Enable fast smart card logon on the client

Fast smart card logon is enabled by default on the VDA and disabled by default on the client. On the client, to enable fast smart card logon, include the following parameter in the default.ica file of the associated StoreFront site:


Disable fast smart card logon on the client

To disable fast smart card logon on the client, remove the SmartCardCryptographicRedirection parameter from the default.ica file of the associated StoreFront site.


Log on to the Linux VDA by using a smart card

Users can use a smart card to log on to the Linux VDA in both SSO and non-SSO scenarios.

  • In the SSO scenario, users are automatically logged on to StoreFront by using the cached smart card certificate and PIN. When users launch a Linux virtual desktop session in StoreFront, the PIN is passed to the Linux VDA for smart card authentication.
  • In the non-SSO scenario, users are prompted to select a certificate and type a PIN to log on to StoreFront.

    image of typing a pin to log on to storefront

When users launch a Linux virtual desktop session in StoreFront, a dialog box for logon to the Linux VDA appears as follows. The user name is extracted from the certificate in the smart card and users must type the PIN again for logon authentication.

This behavior is the same with the Windows VDA.

image of xendesktop login

Reconnect to a session by using a smart card

To reconnect to a session, ensure that the smart card is connected to the client device. Otherwise, a gray caching window appears on the Linux VDA side and exits quickly because reauthentication fails without the smart card connected. No other prompt is provided in this case to remind you to connect the smart card.

On the StoreFront side, however, if a smart card is not connected when you try to reconnect to a session, the StoreFront web might give an alert as follows.

image of please insert a smart card


Smart card removal policy

Now, the Linux VDA uses only the default behavior for smart card removal. When you remove the smart card after logging on to the Linux VDA successfully, the session still keeps connected and the session screen is not locked.

Support for other smartcards and the PKCS#11 library

Although only the OpenSC smart card is listed on our support list, you can try using other smart cards and the PKCS#11 library because Citrix is providing a generic smart card redirection solution. To switch to your specific smart card or the PKCS#11 library:

  1. Replace all the instances with your PKCS#11 library.

  2. To set the path of your PKCS#11 library to the registry, run the following command:

    /opt/Citrix/VDA/bin/ctxreg update -k "HKLM\System\CurrentControlSet\Control\Citrix\VirtualChannels\Scard" -v "PKCS11LibPath" -d "PATH"

    where PATH points to your PKCS#11 library such as /usr/lib64/pkcs11/

  3. Disable fast smart card logon on the client.