Hello, Thank you for your bug report.
On 01/16/2016 12:50 AM, Andrew Gallagher wrote: > Package: libpam-poldi > Version: 0.4.2+git20151221.338f78b-1 > Severity: important > Tags: patch > > Dear Maintainer, > > poldi requires the following extra file before it will be active in pam. It > will also need a call to "pam-auth-update" in both the postinst and postrm > scripts to (de)activate the change on (un)install. > > /usr/share/pam-configs/poldi: > > ---- > Name: PGP smartcard authentication > Default: yes > Priority: 254 > Auth-Type: Primary > Auth: > [success=end default=ignore] pam_poldi.so > Auth-Initial: > [success=end default=ignore] pam_poldi.so > ---- I included this change, and I closed this bug report. However, I think that it's better to discuss. IIUC, this usage of poldi allow adding authentication with smartcard as an option. By the configuration above, an entry in /etc/pam.d/common-auth will be created. Then, a user can skip traditional UNIX password authentication to proceed authentication with smartcard. Is it really good configuration, installed as a default? I'm afraid. Currently, I'm working Poldi upstream so that it can be used for sudo/su to connect gpg-agent (again). Here's a work of today: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=poldi.git;a=commit;h=56b759da589bdfa3af31ed95839ba59f12e94fb7 With this patch, it would be good if we can distinguish between login/gdm and su/sudo/screen-saver. For login and gdm/xdm/kdm/lightdm, poldi module for PAM should not connect gpg-agent but invoke scdaemon to access smartcard. For su/sudo/screen-saver, poldi module for PAM is allowed to access user's gpg-agent if the configuration has --use-agent option. How do you think? Could you please help me to write good PAM configuration for Poldi? It seems it's Debian specific. --
