POLDI-PAM with ECC


#1

I’m using a Nitrokey2 and have set it with gnupg for curve nistp384. Command line encryption and signing works. Authentication using pam_poldi.so does not.

The command line login shows:

Insert authentication card for user john' Trying authentication as userjohn’…
scdaemon[3695]: DBG: asking for PIN '||Please unlock the card%0A%0ANumber: 0005 00006E5E%0AHolder: ’
Please unlock the card

Number: 0005 00006E5E
Holder:
scdaemon[3695]: scdaemon (GnuPG) 2.2.11 stopped

The log file contains:

Poldi 2018-12-11 14:10:53 [3690] debug: using authentication method localdb' Poldi 2018-12-11 14:10:53 [3690] debug: spawned a new scdaemon (path: '/usr/lib/gnupg/scdaemon') Poldi 2018-12-11 14:10:55 [3690] debug: Waiting for card for userjohn’…
Poldi 2018-12-11 14:10:56 [3690] debug: connected to card; serial number is: D276000124010303000500006E5E0000
Poldi 2018-12-11 14:10:56 [3690] debug: Trying authentication as user `john’…
Poldi 2018-12-11 14:11:06 [3690] error: failed to verify challenge
Poldi 2018-12-11 14:11:06 [3690] error: authentication failed: General error

Some web searching showed a comment about this problem being caused by keyfile format. I have:

$ sudo cat /etc/poldi/localdb/keys/D276000124010303000500006E5E0000
Serial number: D276000124010303000500006E5E0000
Signing key fingerprint: AUTHFP
Key:
(public-key
(ecc
(curve “NIST P-384”)
(q #041153E71D2250E5A6D104867C8608514AEE5DDBA6A9920CE7F9732DF9F67F8F10E32DD54D8DB9DF6A0AF3FDBB659C0DBD52B31319C384187457A801F691B9D9CF78B84E90BB8FD328086F189F610809B5877FD7A74515ED59E6F37DF3CF007344#)
)
)

The users file has:

D276000124010303000500006E5E0000 john


#2

I wouldn’t be too surprised if poldi does not know how to work with ECC yet. Actually, as poldi isn’t that actively developed I doubt any ECC support.