Fedora and gpg-agent

While it was quite easy to set up my Fellowship smartcard for SSH logins on Debian GNU/Linux following this instructions I never managed to get it working on Fedora GNU/Linux. At some point of time I just gave up. Today finally I found a solution in an on-line forum.

The problem was that gpg-agent always stopped with the error message:

$ gpg-agent 
gpg-agent[2857]: can't connect to `/home/schiesbn/.gnupg/S.gpg-agent': No such file or directory
gpg-agent: no gpg-agent running in this session

By default the gpg-agent on Fedora creates the socket in /tmp instead of in /home/schiesbn/.gnupg. So you have to move it manually over to your home directory once gpg-agent has started.

To do this I use this script:

# Decide whether to start gpg-agent daemon.
# Create necessary symbolic link in $HOME/.gnupg/S.gpg-agent
PIDOF=`pidof gpg-agent`
if [ "$RETVAL" -eq 1 ]; then
	echo "Starting gpg-agent daemon."
	eval `gpg-agent --daemon `
	echo "Daemon gpg-agent already running."
# Nasty way to find gpg-agent's socket file...
GPG_SOCKET_FILE=`find /tmp/gpg-* -name $SOCKET`
echo "Updating socket file link."
cp -fs $GPG_SOCKET_FILE $HOME/.gnupg/S.gpg-agent

To execute this script during log-in I have added this to my ~/.bashrc:

# GPG-AGENT stuff
export $GET_TTY

I still wonder why it works that easy on Debian and on Fedora i need all this scripting. But for the moment I’m just happy that I have found a solution to use my smartcard for SSH login on my Fedora systems.

Login with GnuPG smartcard

Libpam-poldi allows you to use your Fellowship crypto card to log in your GNU/Linux system.

First check if poldi detects your cardreader: ‘poldi-ctrl -d’. Unfortunately some cardreader doesn’t work with poldi and the existing free driver. For example the cardma4040 needs the non-free driver from Omnikey.

If poldi successfully detected your cardreader you can start to configure poldi. Poldi has a pretty good documentation so i will keep my explanations rather short.

  1. Root has to register the new card for poldi:
    poldi-ctrl --register-card --account <your-user-account> --serialno <serialno of your card>

    You can also execute this command without ‘–account <your-user-account>’ but than the user will not be able to install or update his card’s keys.
    The serialno can be found by executing ‘gpg –card-status’ and looking for “Application ID”.

  2. Now we have to establish a mapping between the user and the smartcard he owns:
    poldi-ctrl --associate --account <your-user-account> --serialno <serialno of your card>
  3. Now you have to write your public key into the appropriate key file (you have to do this within your user account)
     poldi-ctrl --set-key
  4. That’s it, now you can test it with ‘poldi-ctrl –test’
  5. Now you have to tell pam, that you want to use poldi.
    Therefore you have to edit the files in /etc/pam.d. If, for example, you want to login to kdm with your card, edit the file /etc/pam.d/kdm. Replace the line ‘@include common-auth’ with

    auth    required   pam_poldi.so

    If you want to login unattended, use

    auth    required   pam_poldi.so try-pin=123456 quiet

    And if you want to fallback to regular unix passwords, use

    auth    sufficient pam_poldi.so try-pin=123456 quietauth    required   pam_unix.so nullok_secure

Now you should be able to use your GnuPG smartcard to log in your GNU/Linux system.

You can find a more detailed howto on my personal homepage which will still be available if this blog entry is already forgotten.