Login with GnuPG smartcard


Libpam-poldi allows you to use your Fellowship crypto card to log in your GNU/Linux system.

First check if poldi detects your cardreader: ‘poldi-ctrl -d’. Unfortunately some cardreader doesn’t work with poldi and the existing free driver. For example the cardma4040 needs the non-free driver from Omnikey.

If poldi successfully detected your cardreader you can start to configure poldi. Poldi has a pretty good documentation so i will keep my explanations rather short.

  1. Root has to register the new card for poldi:
    poldi-ctrl --register-card --account <your-user-account> --serialno <serialno of your card>

    You can also execute this command without ‘–account <your-user-account>’ but than the user will not be able to install or update his card’s keys.
    The serialno can be found by executing ‘gpg –card-status’ and looking for “Application ID”.

  2. Now we have to establish a mapping between the user and the smartcard he owns:
    poldi-ctrl --associate --account <your-user-account> --serialno <serialno of your card>
  3. Now you have to write your public key into the appropriate key file (you have to do this within your user account)
     poldi-ctrl --set-key
  4. That’s it, now you can test it with ‘poldi-ctrl –test’
  5. Now you have to tell pam, that you want to use poldi.
    Therefore you have to edit the files in /etc/pam.d. If, for example, you want to login to kdm with your card, edit the file /etc/pam.d/kdm. Replace the line ‘@include common-auth’ with

    auth    required   pam_poldi.so

    If you want to login unattended, use

    auth    required   pam_poldi.so try-pin=123456 quiet

    And if you want to fallback to regular unix passwords, use

    auth    sufficient pam_poldi.so try-pin=123456 quietauth    required   pam_unix.so nullok_secure

Now you should be able to use your GnuPG smartcard to log in your GNU/Linux system.

You can find a more detailed howto on my personal homepage which will still be available if this blog entry is already forgotten.

2 Responses to “Login with GnuPG smartcard”

  1. Michael says:

    Haben Sie eine Ahnung an was folgender fehler liegen kann?

    maddog@tuxraver:~$ poldi-ctrl –set-key
    poldi-ctrl: detected reader `SCM SPR 532 00 00′
    poldi-ctrl: Error: failed to retrieve key from card: Card error

  2. Jake says:

    Hi,

    The new version of poldi-ctrl doesn’t support any of the above command line options. I’m struggling a bit under Ubuntu Karmic to get this all to work. My biggest problem seems to be the pam side of things.
    I’ve manually set up files under /etc/poldi/localdb, one called users and the other in a subdirectory called keys with my public key in it, but things just aren’t working at the moment.
    /usr/share/doc/libpam-poldi/MIGRATION was helpful, as was finding the source code to libpam-poldi package and reading the documentation which for some reason the Ubuntu package doesn’t seem to install properly.

    Would love an update to this blog post to cover the more recent versions of poldi-ctrl etc.

    I’m personally in quite a confusion about ssh-agent, gpg-agent, scdaemon, seamonkey and various other factors and how they all intermingle (not to mention again this pam problem where I just seem to get immediately 3 bad passwords received with no attempt to access or request a pin)

    Thanks.