Login with GnuPG smartcard

August 7, 2006    gnupg smartcard

Libpam-poldi allows you to use your Fellowship crypto card to log in your GNU/Linux system.

First check if poldi detects your cardreader: ‘poldi-ctrl -d’. Unfortunately some cardreader doesn’t work with poldi and the existing free driver. For example the cardma4040 needs the non-free driver from Omnikey.

If poldi successfully detected your cardreader you can start to configure poldi. Poldi has a pretty good documentation so i will keep my explanations rather short.

  1. Root has to register the new card for poldi: 
    poldi-ctrl –register-card –account <your-user-account> –serialno <serialno of your card>
You can also execute this command without &#8216;&#8211;account <your-user-account>&#8217; but than the user will not be able to install or update his card&#8217;s keys.

The serialno can be found by executing &#8216;gpg &#8211;card-status&#8217; and looking for &#8220;Application ID&#8221;.</li> 

  * Now we have to establish a mapping between the user and the smartcard he owns: 
    <pre>poldi-ctrl --associate --account &lt;your-user-account&gt; --serialno &lt;serialno of your card&gt;</pre>

  * Now you have to write your public key into the appropriate key file (you have to do this within your user account) 
    <pre>poldi-ctrl --set-key</pre>

  * That&#8217;s it, now you can test it with &#8216;poldi-ctrl &#8211;test&#8217;
  * Now you have to tell pam, that you want to use poldi.

    Therefore you have to edit the files in /etc/pam.d. If, for example, you want to login to kdm with your card, edit the file /etc/pam.d/kdm. Replace the line &#8216;@include common-auth&#8217; with</p> 
    <pre>auth    required   pam_poldi.so</pre>
    
    If you want to login unattended, use
    
    <pre>auth    required   pam_poldi.so try-pin=123456 quiet</pre>
    
    And if you want to fallback to regular unix passwords, use
    
    <pre>auth    sufficient pam_poldi.so try-pin=123456 quietauth    required   pam_unix.so nullok_secure</pre></ol> 

Now you should be able to use your GnuPG smartcard to log in your GNU/Linux system.
Author
Mastodon LinkedIn RSS Feed
portrait
Björn Schießle
Computer Scientist (Dipl. Inf.), graduated at University of Stuttgart, Germany.
Active in the Free Software movement for over 25 years.
Long-term volunteer at FSFE and member of the General Assembly.
Co-founder and PreSales-Lead of Nextcloud.

Comments