Hi there, I'm the proud owner of a Nitrokey Pro OpenPGP card that works fine for encryption and SSH authentication. I'd love to use it for sudo/login operations as well, but I've had no luck so far in setting up Poldi for PAM authentication.
Would you please let me know what I missed, or maybe how I could further investigate? Here is what I did: * My card contains 4096 bit encryption, signing and authentication subkeys. * I'm using GnuPG v2.1.15 on a regular Ubuntu 17.10 desktop. * Poldi was installed via the Ubuntu 17.10 "libpam-poldi" package. * I've associated the card Application ID with my system username within "/etc/poldi/localdb/users". * I've exported my public authentication subkey in a file named after the card Application ID within "/etc/poldi/localdb/keys/". Since "poldi-ctrl" is no longer available, and 'gpg-connect-agent "/datafile <app_id>" "SCD READKEY --advanced OPENPGP.3" "/bye"' would only yield "ERR 100663414 Invalid ID <SCD>", I've been using "gpg --export | openpgp2ssh <auth_subkey_fp> | ssh-conv | sexp-conv --syntax=hex" to produce the appropriate format, i.e. "(public-key (rsa-pkcs1-sha1 (n #00e2 ... 7#) (e #010001#)))". * I've replaced "@include common-auth" with "auth sufficient pam_poldi.so" in "/etc/pam.d/sudo". And this is where I stand: * "sudo ls" is unsuccessful, though the card LED lights up (and the PIN is correct): Insert authentication card for user `syl' Trying authentication as user `syl'... Please enter the PIN Sorry, try again. Insert authentication card for user `syl' Trying authentication as user `syl'... Sorry, try again. Insert authentication card for user `syl' Trying authentication as user `syl'... sudo: 3 incorrect password attempts * "/var/log/poldi.log" doesn't give much details (card serial number edited by me): Poldi 2018-02-02 17:19:53 [23950] debug: using authentication method `localdb' Poldi 2018-02-02 17:19:54 [23950] debug: got scdaemon socket name from gpg-agent, connected to socket '/run/user/1000/gnupg/S.scdaemon' Poldi 2018-02-02 17:19:56 [23950] debug: Waiting for card for user `syl'... Poldi 2018-02-02 17:19:58 [23950] debug: connected to card; serial number is: D...0 Poldi 2018-02-02 17:19:58 [23950] debug: Trying authentication as user `syl'... Poldi 2018-02-02 17:20:06 [23950] error: failed to verify challenge Poldi 2018-02-02 17:20:06 [23950] error: authentication failed: General error Poldi 2018-02-02 17:20:06 [23950] debug: using authentication method `localdb' Poldi 2018-02-02 17:20:06 [23950] debug: got scdaemon socket name from gpg-agent, connected to socket '/run/user/1000/gnupg/S.scdaemon' Poldi 2018-02-02 17:20:06 [23950] debug: Waiting for card for user `syl'... Poldi 2018-02-02 17:20:06 [23950] debug: connected to card; serial number is: D...0 Poldi 2018-02-02 17:20:06 [23950] debug: Trying authentication as user `syl'... Poldi 2018-02-02 17:20:10 [23950] error: failed to verify challenge Poldi 2018-02-02 17:20:10 [23950] error: authentication failed: General error Poldi 2018-02-02 17:20:10 [23950] debug: using authentication method `localdb' Poldi 2018-02-02 17:20:10 [23950] debug: got scdaemon socket name from gpg-agent, connected to socket '/run/user/1000/gnupg/S.scdaemon' Poldi 2018-02-02 17:20:10 [23950] debug: Waiting for card for user `syl'... Poldi 2018-02-02 17:20:10 [23950] debug: connected to card; serial number is: D...0 Poldi 2018-02-02 17:20:10 [23950] debug: Trying authentication as user `syl'... Poldi 2018-02-02 17:20:13 [23950] error: failed to verify challenge Poldi 2018-02-02 17:20:13 [23950] error: authentication failed: General error * For the record, "/etc/poldi/poldi.conf" reads as follows: auth-method localdb log-file /var/log/poldi.log debug Thanks in advance for your help, best regards, --Syl
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users