poldi can be used with the librem key for sudo (and eventually other tasks) but I found libpam-p11 to work better.
sudo apt install libpam-poldi
The configuration files are in /etc/poldi. Add my user account and the librem key to the configuration then add the keyfile for the smartcard.
ID=`gpg --card-status | grep 'Application ID' | awk -F: '{print $2;}' | tr -d ' '`
echo "$ID $USER" > newuser.tmp
sudo su
cat newuser.tmp >> /etc/poldi/localdb/users
touch /etc/poldi/localdb/keys/$ID
chown $USER /etc/poldi/localdb/keys/$ID
exit
gpg-connect-agent "/datafile /etc/poldi/localdb/keys/$ID" "SCD READKEY --advanced OPENPGP.3" /bye
That last statement extracts the public key in a particular format and puts it into the poldi configs. If we use more than one key this has to be run to make each public key available to poldi. The public key is the same for my two keys so I just need the file duplicated using the key ID for each. I also can copy the file from some backups since I have set this up before.
To use the smartcard for sudo I add this configuration to /etc/pam.d/sudo
auth [success=2 default=ignore] pam_poldi.so
It seems that every time I do this the line goes into a different location. In this case I put this after the session lines and before the @include lines.
I have tried to enable the smartcard for other prompts such as console and gui. Results have been mixed. Here is one attempt.
Add this line to /etc/pam.d/common-auth
auth [success=2 default=ignore] pam_poldi.so
this trashes sddm logins but the others work as log as I unplug the smartcard constantly to reset the lock. each process seems to want to hold the card open and they cannot share the card.