My system is using a trusted boot model where the smartcard verifies that the files have not changed in an unencrypted boot partition (think tripwire). The smart card is also used to open the encrypted (LUKS) root partition Once up and running I use the smart card for login.
Though the smart card works most of the time there are issues that I have not been able to solve with PureOS. It is now trashed enough that I will be removing it--again. In addition, a bug in the install prevents me from re-installing with encryption which is one of the main reasons for using PureOS in the first place.
In general, this distro might work for you if you
work at purism
love gnome
don't want to use 3rd party apps like chrome and visual studio code extensions
order a system from Purism with PureOS pre-installed
I have given up on PureOS 9 and might try again when 10 is released. The pros of using it are outweighed by the cons. In an informal poll on the forums it about half of the responses use PureOS.
Authentication can be enabled with libpam_pkcs11 or with libpam_poldi. I am using poldi.
there is a poldi-ctrl utility mentioned online but it was retired. setting up manually. haven't tried gpg-connect-agent
sudo apt install libpam-poldi#get serial/application id for smart card to use with next steps
ID=`gpg --card-status |grep 'Application ID' | awk -F':' '{print $2;}' | tr -d ' '`#add user to poldi
sudo echo "$ID myuser" >> /etc/poldi/localdb/users#prepare file for user key
sudo touch /etc/poldi/localdb/keys/$IDsudo chown myuser /etc/poldi/localdb/keys/$ID#gpg key must be setup already and public key imported so we can pull info for it.
gpg-connect-agent "/datafile /etc/poldi/localdb/keys/$ID" "SCD READKEY --advanced OPENPGP.3" /byeif /etc/poldi/localdb/keys/$ID has a public key in it we are setup. if not, need to figure out why.
next need to get pam configured for various services. what model do we want here?
no password; pin+smartcard required
pin+smartcard or password
We can use the smart card as primary mechanism and have password as backup.
## gdm-passwordauth requisite pam_nologin.soauth required pam_succeed_if.so user != root quiet_successauth sufficient pam_poldi.so...Here I disable the password for the user and require the smartcard in pam. This forces every user on the system to use a smart card. You will need one card per user. cards should not be shared. I'm not sure this really works. after I delete the user password the screensaver doesn't ask for the smartcard...
## gdm-passwordauth requisite pam_nologin.soauth required pam_succeed_if.so user != root quiet_successauth required pam_poldi.so...run passwd -d <username> to delete the user password
if smart card is not present prompts for password
## modify /etc/pam.d/sudoauth sufficient pam_poldi.so@include common-auth@include common-...not sure yet. when I delete the password for the user sudo cannot seem to work.
## modify /etc/pam.d/sudoauth required pam_poldi.so@include common-auth@include common-...When needing to elevate for actions such as installing software with the software center the system asks for my password. I would think this uses the sudo infrastructure but the prompts are not aware of the smart card. This leaves me with typing the password. I'll research to see if this can work with configs. code changes may be needed to make the process smarter.