Login with GnuPG smartcard

Posted by schiessle on 0

Thanks to Stefan Grote who gets in touch with me as he had read my "cry for help" at the GnuPG mailinglist i have managed it to get libpam-poldi run with my Omnikey Cardman4040.
Libpam-poldi allows you to use your Fellowship crypto card to log in your GNU/Linux system.

Here a small guide how to set it up:

  1. Make sure that you have installed pcscd.
  2. Download the cardman4040 driver from omnikey.com (direct download link).
  3. Extract the file 
    tar xzf ifdok_cm4040_lnx-1.1.0.tar.gz
  4. Copy the ifdok_cm4040_lnx-1.1.0.so file to /usr/lib
  5. Edit your /etc/reader.conf and insert this lines: 
    FRIENDLYNAME "Omnikey Cardman 4040 Socket 0"
    DEVICENAME <devicename for your cardreader>
    LIBPATH /usr/lib/ifdok_cm4040_lnx-1.1.0.so
    CHANNELID 0

    It’s important that you use tabs between the options and the values. You can find the devicename with ‘dmesg | grep 4040’

  6. Restart pcscd: /etc/init.d/pcscd restart
  7. Now ‘poldi-ctrl -d’ should detect your cardreader.

Now you only have to configure poldi. Poldi has a pretty good documentation so i will keep my explanations rather short.

  1. Root has to register the new card for poldi: 
    poldi-ctrl --register-card --account <your-user-account> --serialno <serialno of your card>

    You can also execute this command without ‘–account <your-user-account>’ but than the user will not be able to install or update his card’s keys.
    The serialno can be found by executing ‘gpg –card-status’ and looking for "Application ID".

  2. Now we have to establish a mapping between the user and the smartcard he owns: 
    poldi-ctrl --associate --account <your-user-account> --serialno <serialno of your card>
  3. Now you have to write your public key into the appropriate key file (you have to do this within your user account) 
     poldi-ctrl --set-key
  4. That’s it, now you can test it with ‘poldi-ctrl –test’
  5. Now you have to tell pam, that you want to use poldi.
    Therefore you have to edit the files in /etc/pam.d. If, for example, you want to login to kdm with your card, edit the file /etc/pam.d/kdm. Replace the line ‘@include common-auth’ with 
    auth required pam_poldi.so

    If you want to login unattended, use 

    auth required pam_poldi.so try-pin=123456 quiet

    And if you want to fallback to regular unix passwords, use 

    auth sufficient pam_poldi.so try-pin=123456 quiet
    auth required pam_unix.so nullok_secure

Now you should be able to use your GnuPG smartcard to log in your GNU/Linux system.

You can find a more detailed howto on my personal homepage which will still be available if this blog entry is already forgotten.