After upgrading from Debian Bookworm to Trixie (xfce4), I having several issues to login with pam(poldi) + Nitrokey Pro2 and Nitrokey3Neo.
It works very well after I start the Laptops on the first time.
If I use sudo after login, it wont work. It is directly asking for the password and don’t check any gpg-cards.
gpg --card-status doesn’t find any nitrokey.
But pcsc_scan -r found the readers.
After I add ~/.gnupg/scdaemon.con with:
disable-ccid
pcsc-shared
it works…, it works only up to the next locked screen.
Afterwards I lock the screen:
1st device (chromebook on from scratch installed Debian, upgraded from 12 to 13):
- the login screen comes on
- Displays: “insert auth. card for user $test”
* but dont registered any Nitrokey
=> login with pam + Nitrokey ist not possible
=> only a restart can solve this up to the next locked screen
2nd device (Lenovo x1 on from scratch installed Debian, upgraded from 12 to 13): - the login screen comes on
- with inserted nitrokey before wakeup
=> a different login screen comes on (seems to be a special login for smarcards with pin)
* Displays: “insert auth. card for user $test”
=> login with pam + Nitrokey is possible - without inserted nitrokey before wakeup
=> a different login screen comes and switches to the “normal” loginscreen
* Displays: “insert auth. card for user $test”
=> login with pam + Nitrokey is not possible
=> only a restart can solve this up to the next locked screen
* after this fail, it is not possible for the Laptop to known any nitrokey and not possible to login
=> sometimes the smartcardlogin screen comes on If I switched between some sessions and try to login on terminal and stiched back during the fail
=> but its not posible to enter the pin
=> it returns only to the “normal” login screen after some seconds
Did anyone have had the some issue and could solved it?
My configs with the same results:
only nitrokey
nano /etc/pam.d/common-auth
# Nitrokey auth
auth sufficient pam_poldi.so
# here are the per-package modules (the "Primary" block)
auth [success=1 default=ignore] pam_unix.so nullok_secure
multiple authentifications - eg yubikey or nitrokey
# Nitrokey auth
auth sufficient pam_poldi.so
# here are the per-package modules (the "Primary" block)
auth [success=1 default=ignore] pam_unix.so nullok
# heres the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isnt one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
# yubikey auth
auth required pam_yubico.so mode=challenge-response chalresp_path=/var/yubico
scdaemon.conf
cat <<EOF > ~/.gnupg/scdaemon.conf
disable-ccid
pcsc-shared
EOF
udev rules are the same from
https://raw.githubusercontent.com/Nitrokey/nitrokey-udev-rules/main/41-nitrokey.rules