SDDM seems to have zero smartcard support. i was hoping that it would just let me type the PIN but turning on the smartcard with libpam-poldi stops sddm from working altogether.
Good news though--when I setup libpam-p11 on kubuntu, sddm requires me to type the pin with smartcard inserted or password when it is not plugged in. I have to be careful not to lock myself out by forgetting which one I have to type.
i installed gdm3 on kubuntu 21.10 ( which depends on evolution and a ton of other packages that make no sense but whatever). Noticed that it says this during the install
using /etc/pam.d/gdm-smartcard-sssd-exclusive to provide /etc/pam.d/gdm-smartcard (gdm-smartcard) in auto mode
With this it seems that GDM will allow me to type a passphrase when no smartcard is present and when I plug the smartcard into the system it assumes that I want that to be used to login. That's ok but I dont know what else to configure. Checking docs... An article suggests that this process is certificate based which is what I expected from previous attempts at this. I don't know how to get access to the certificate they mention. When I use libpam-p11 I created a certificate but don't remember if it was on disk or on the card....
Since GDM has support I start with that. I install libpam-poldi and configure it. Also install opensc to get pkcs15-tool. I also try to install libccid and opensc-pkcs11 just in case they are not already installed.
sudo apt install libpam-poldi libpam-pkcs11 opensc libccid opensc-pkcs11 gnupg-pkcs11-scd
I enable and start pcscd
systemctl enable pcscd; systemctl start pcscd gnupg2 pcsc-tools
At one point I see on the login screen that it is asking me to type the username but the users were on the screen for a moment. I try it and get an error condition. When I pull the smartcard out the user picker shows up....oh. gdm has detected the smartcard and may be trying to match the username I type to a certificate on the smartcard. I don't think I have any certificates on the smartcard.
When I use libpam-p11 I created a certificate but don't remember if it was on disk or on the card....
https://developers.yubico.com/yubico-pam/
I have had issues with pcsc conflicting with gnupg. This page has some solutions to try
https://ludovicrousseau.blogspot.com/2019/06/gnupg-and-pcsc-conflicts.html
I can't tell if that is doing anything for me but i'll note it here for further review. I still have to unplug the card or kill all the processes using it. When pkcs15-tool -D cannot find the smartcard I run this command
gpgconf --kill scdaemon
I have tried the following configs but not sure that any of them are helping or hurting
echo "use-agent" >> ~/.gnupg/gpg.conf
echo "enable-ssh-support" >> ~/.gnupg/gpg-agent.conf
This guy has a quick howto for setting smartcards including the login certificate (a topic I still find confusing).
http://cedric.dufour.name/blah/IT/SmartCardsHowto.html
sudo apt install gnutls-bin libengine-pkcs11-openssl
p11tool --list-all
p11tool --list-tokens
Use openssl to generate a certificate request but the private key is not on the smart card? can I get the smartcard to provide/store the private key?
let's assume we dont need to for the moment. assuming we'll never again need this private key because we are just using the certificate loaded onto the smartcard for auth....
openssl genrsa -out smartcard-cert.key 2048
openssl req -new -nodes -key smartcard-cert.key -reqexts req_exts -config req.cnf -out smartcard.csr
I use pfsense for a firewall which has a certificate authority feature to sign the cert request. I then download the signed cert to smartcard.crt. Next I try to import to the smart card.
pkcs15-init --store-certificate ./smartcard.crt --id 1 --cert-label 'user@domain.com'
Using reader with a card: Nitrokey Nitrokey Pro (000000000000000000006EA0) 00 00
Failed to store certificate: Not supported
I dont know if this is telling me the certificate format is not supported or if my hardware does not support storing certificates.