Libpam-poldi allows you to use your Fellowship crypto card to log in your GNU/Linux system.

First check if poldi detects your cardreader: ‘poldi-ctrl -d’. Unfortunately some cardreader doesn’t work with poldi and the existing free driver. For example the cardma4040 needs the non-free driver from Omnikey.

If poldi successfully detected your cardreader you can start to configure poldi. Poldi has a pretty good documentation so i will keep my explanations rather short.

1. Root has to register the new card for poldi:

   poldi-ctrl --register-card --account <your-user-account> --serialno <serialno of your card>

   You can also execute this command without ‘–account <your-user-account>’ but than the user will not be able to install or update his card’s keys.
   The serialno can be found by executing ‘gpg –card-status’ and looking for “Application ID”.

2. Now we have to establish a mapping between the user and the smartcard he owns:

   poldi-ctrl --associate --account <your-user-account> --serialno <serialno of your card>

3. Now you have to write your public key into the appropriate key file (you have to do this within your user account)

    poldi-ctrl --set-key

4. That’s it, now you can test it with ‘poldi-ctrl –test’
5. Now you have to tell pam, that you want to use poldi.
   Therefore you have to edit the files in /etc/pam.d. If, for example, you want to login to kdm with your card, edit the file /etc/pam.d/kdm. Replace the line ‘@include common-auth’ with

   auth    required   pam_poldi.so

   If you want to login unattended, use

   auth    required   pam_poldi.so try-pin=123456 quiet

   And if you want to fallback to regular unix passwords, use

   auth    sufficient pam_poldi.so try-pin=123456 quietauth    required   pam_unix.so nullok_secure

Now you should be able to use your GnuPG smartcard to log in your GNU/Linux system.

You can find a more detailed howto on my personal homepage which will still be available if this blog entry is already forgotten.