Login with a GnuPG Smartcard and Poldi

Libpam-poldi allows you to use a GnuPG smartcard to log in your GNU/Linux system.

Install libpam-poldi

If you use Debian GNU/Linux libpam-poldi is already available in the repositories.
On Ubuntu GNU/Linux you can't use the Debian binaries but you can download the sources of libpam-poldi from Debian and than build a package for your Ubuntu system with 'dpkg-buildpackage -us -uc'.

Configure Poldi

First check if poldi detects your cardreader: 'poldi-ctrl -d'. Unfortunately some cardreader doesn’t work with poldi and the existing free driver. For example the cardma4040 needs the non-free driver from Omnikey.

If poldi successfully detected your cardreader you can start to configure poldi. Poldi has a pretty good documentation so i will keep my explanations rather short.

  1. Root has to register the new card for poldi:
    poldi-ctrl --register-card --account <your-user-account> --serialno <serialno of your card>
    You can also execute this command without '--account <your-user-account>' but than the user want be able to install or update his card's keys.
    The serialno can be found by executing 'gpg --card-status' and looking for "Application ID".

  2. Now we have to establish a mapping between the user and the smartcard he owns:
    poldi-ctrl --associate --account <your-user-account> --serialno <serialno of your card>
  3. Now you have to write your public key into the appropriate key file (you have to do this within your user account)
     poldi-ctrl --set-key
  4. That's it, now you can test it with 'poldi-ctrl --test'

Configure Pam

Now you have to tell pam, that you want to use poldi.
Therefore you have to edit the files in /etc/pam.d. If you want to use your smartcard with gdm than...

  1. make a backup of /etc/pam.d/gdm.
    mv /etc/pam.d/gdm /etc/pam.d/gdm.default
  2. create a new /etc/pam.d/gdm which contains only one of these lines:
    auth    required   pam_poldi.so quiet

    Or if you want to login unattended, use

    auth    required   pam_poldi.so try-pin=123456 quiet

    Or if you want to fallback to regular unix passwords, use

    auth    sufficient pam_poldi.so try-pin=123456 quiet
    auth    required   pam_unix.so nullok_secure

Now you should be able to use your GnuPG smartcard to log in your GNU/Linux system.