My goal is to log into my arch linux computer by verifying to my nitrokey pro. I followed the docs but when I test the setup with pam-test-podi -u digital
it does not work. the program waits for input at the “Holder: digital” line and the typed characters are not visible, however after I press enter the prompt just repeats. even if I enter an incorrect user pin, the pin retry counter on the nitrokey does not change. I can quit the program by pressing ctrl-c. it looks like this:
$ pam-test-poldi -u digital login
scdaemon[3115]: detected reader 'Nitrokey Nitrokey Pro (00000000000000000000864A) 00 00'
scdaemon[3115]: detected reader ''
Waiting for card for user `digital'...
Trying authentication as user `digital'...
scdaemon[3115]: DBG: asking for PIN '||Please unlock the card%0A%0ANumber: 0005 0000864A%0AHolder: digital '
Please unlock the card
Number: 0005 0000864A
Holder: digital
Please unlock the card
Number: 0005 0000864A
Holder: digital
Please unlock the card
Number: 0005 0000864A
Holder: digital
Please unlock the card
Number: 0005 0000864A
Holder: digital
Please unlock the card
Number: 0005 0000864A
Holder: digital scdaemon[3115]: PIN callback returned error: End of file
scdaemon[3115]: app_sign failed: End of file
scdaemon[3115]: Assuan processing failed: Broken pipe
scdaemon[3115]: SIGINT received - immediate shutdown
scdaemon[3115]: scdaemon (GnuPG) 2.2.15 stopped
Here is more information:
$ gpg2 --card-status
Reader ...........: Nitrokey Nitrokey Pro (00000000000000000000864A) 00 00
Application ID ...: D27600012401030300050000864A0000
Version ..........: 3.3
Manufacturer .....: ZeitControl
Serial number ....: 0000864A
Name of cardholder: digital
Language prefs ...: de
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: rsa4096 rsa4096 rsa4096
Max. PIN lengths .: 64 64 64
PIN retry counter : 3 0 3
Signature counter : 25
KDF setting ......: on
Signature key ....: 5C51 FB00 5CC3 28B9 E250 7E65 7899 DEC3 D585 EDAE
created ....: 2019-05-13 13:27:27
Encryption key....: 10A0 3F63 FA81 F0C9 0743 D26A 323E 9731 EA08 5EA2
created ....: 2019-05-13 13:28:03
Authentication key: F848 A723 115A 4D93 C058 CF50 FFF4 3613 8186 25A9
created ....: 2019-05-13 13:28:39
General key info..: sub rsa4096/7899DEC3D585EDAE 2019-05-13 digital <digital@dinid.net>
sec# rsa4096/A0B8D7B3488EFED6 created: 2019-05-13 expires: never
ssb> rsa4096/7899DEC3D585EDAE created: 2019-05-13 expires: 2021-05-12
card-no: 0005 0000864A
ssb> rsa4096/323E9731EA085EA2 created: 2019-05-13 expires: 2021-05-12
card-no: 0005 0000864A
ssb> rsa4096/FFF43613818625A9 created: 2019-05-13 expires: 2021-05-12
card-no: 0005 0000864A
$ cat /etc/poldi/localdb/users
D27600012401030300050000864A0000 digital
$ cat /etc/poldi/localdb/keys/D27600012401030300050000864A0000
(public-key
(rsa
(n #00BC6CECC90DA5F329D215FDBF595C1A920374BD172271F394E138FE99C4E995A7ED536A8D79175C4C65D39071955779C181D85E5A86D9BCAE86BE11A742FD856FEB351
2C23911F932098165CDBD3FF0658C288FCC51BC9FF9BFD84E67AB83C3CAF508EC0B5CDC83179B2A781C0CA15A3BA9CF321F4ABD7E8DE234324536258D62D61AE0BF47C25BD776
02B4D0F107F653B706273C01856B885D27CD57F283BA75EC3AAE5BBB98BC393BCA7D605199070C339DCB4DD8D292160102841B9FCA4F26DED33E112B76BAA042BBD6F7E501E44
C020521E92BDD45B9BCC30A7FF840663C90E3C06C5EBA45BDF7A1046330A8ADF07CE8AFF141DD5B518F1915EEBF6527DEAD9F292FC16F6AE74E7CA275991487CAAF0575B594ED
00AF542B60892AA7A727AC77B566E454F6D19CA2D0614251ADB81685308104A297E7353F7489BC1CCADE673C04F1C344562B8514E395E06220595420EBFE5AD9EE11D92E29597
1A5D0D37E971A70828B8321914454B0890D824C1B69DA65CDF6CD15271E6143198E5816B3E22118854409B5898F5D0114CF4D58DA71F6630F87560042B1D863BA18EAAC2792A3
EA1CC696FDDB79F391ADFA3F04EAC97B851203C61898048CE1DEE1221CB1838358B98EE61FB84BB09AE8022C0AA618E95877FBE0EFD58F3E16BC25FCDDD799B089DC6785DCAF3
9B70F2C3EE1EAD7D1B5390F495D292EB25B32315B5C31#)
(e #010001#)
)
)
$ cat /etc/pam.d/login
#%PAM-1.0
auth sufficient pam_poldi.so
auth required pam_securetty.so
auth requisite pam_nologin.so
auth include system-local-login
account include system-local-login
session include system-local-login