I was using poldi for smartcard integration into pam but came across another pam module at https://github.com/OpenSC/pam_p11.
user setup stored in user home--not in /etc/
actually works for all types of auth!!!!
slightly more complex setup
requires generating a signed certificate which is more complex than just adding the serial to a file in /etc/
This worked in kubuntu 21.10 but fails in 22.04. I can't figure out why.
This setup uses an authorized certificate that was signed by the smartarcard private key. It requires using the smartcard to sign a certificate which I had to also create.
if compiling from source
libpam-p11-dev
libp11-dev
libpam-p11
from source
or installed from your distro
ssl certificate authority
can use self signed if needed
smartcard with loaded private key
make p11 work
create ssl certificate request
sign ssl certificate using smartcard
modify pam
In one case I had to install a dependency manually. not sure if this is because I compiled something previously...
apt install libengine-pkcs11-openssl gnutls-bin opensc-pkcs11 scdaemon opensc
I installed the package in some distros but in others I had to compile from source. Here is the install command on Debian based distros:
apt install libpam-p11
p11tool --list-privkeys
If this doesn't output anything try starting pcscd
sudo systemctl enable pcscd.socket
sudo systemctl start pcscd.socket
p11tool --list-privkeys
If working you will see a list of keys from the smartcard.
In my first install the p11 tools were not working because they were looking in the wrong location for files. First I tried to follow the instructions for p11 and register the files but that did not work. Next I manually setup the configuration but in later distros this does not seem necessary. YMMV
sudo su
mkdir -p /etc/pkcs11/modules
MOD=`locate pkcs11.so | grep '/pkcs11.so$'`
echo "module: $MOD" >> /etc/pkcs11/modules/.module
In the original setup I created a symlink in the location that the library wanted.
cd /usr/lib/
ln -s /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so .
run the command to get the information for the private key to use with certificates. When working we see a few listed.
p11tool --list-privkeys
If that command does not return results try specifying the path to the library
p11tool --provider /usr/lib/opensc-pkcs11.so --list-privkeys
First create the folder to hold the certficate in your home folder.
if [ ! -d ~/.eid ] ; then
mkdir -p ~/.eid
chmod 0755 ~/.eid
fi
Next use openssl to create a certificate request. this uses the URL representing the smartcard private key found in the previous step.
URL=`p11tool --list-privkeys | grep sig`
openssl req -engine pkcs11 -new -key "$URL" -keyform engine -out ~/req.pem -text -x509 -subj "/CN=$USER"
An alternative approach uses a certificate located on the smartcard. My card does not have one. might use this to add it and try this approach.
pkcs11-tool --read-object --type cert --id 45 --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so --output-file ~/req.pem
and then sign the certificate
openssl x509 -engine pkcs11 -signkey "$URL" -keyform engine -in ~/req.pem -out ~/signed
cat ~/signed >> ~/.eid/authorized_certificates
chmod 0644 ~/.eid/authorized_certificates
Delete the temporary file(s).
rm -f ~/req.pem ~/signed
I'd like other auth than sudo to also use the smartcard. let's see how well this works if I put this into common auth -- which is fraught with danger since that seems to make all sorts of messes. I add this line to the beginning of /etc/pam.d/common-auth.
You might need to use /lib/security/pam_p11.so compiling from source. Make sure to use the appropriate location for your system. The default on Ubuntu 22.10 is /lib/x86_64-linux-gnu/security/pam_p11.so.
#auth [success=2 default=ignore] /lib/security/pam_p11.so /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
auth [success=2 default=ignore] /lib/x86_64-linux-gnu/security/pam_p11.so /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
HOLY CRAP! EVERYTHING WORKS!!!
[edit. this works in kubuntu 21.10 and 22.10. it did not work in 22.04 and also doesn't give any output in logs. :-( ]
Well it worked in 22.10 until i restarted. at least it shows me a message 'Initializing PKCS#11 engine failed: (null)' seems like systemd is swallowing pcsc and sucking at it . the fix seems to be to manually enable pcscd.socket. I tried that on 22.04 but didn't seem to help.
Was able to get this working in 24.04
sudo systemctl enable pcscd.socket
with and without the smartcard plugged in I can login using
OpenSSL
sddm
tty/console
sudo
Graphical sudo/admin
SDDM allows me to type either PIN or password without having to specify which. I noticed the graphical sudo prompts start out with 'password' but after a second they change the prompt to 'PIN'. command line sudo and tty logins prompt for password or PIN as needed. If I want to type a password and not a PIN then I unplug the smartcard in those cases.