Problems using Nitrokey Pro for Linux pam authentication

My goal is to log into my arch linux computer by verifying to my nitrokey pro. I followed the docs but when I test the setup with pam-test-podi -u digital it does not work. the program waits for input at the “Holder: digital” line and the typed characters are not visible, however after I press enter the prompt just repeats. even if I enter an incorrect user pin, the pin retry counter on the nitrokey does not change. I can quit the program by pressing ctrl-c. it looks like this:

$ pam-test-poldi -u digital login
scdaemon[3115]: detected reader 'Nitrokey Nitrokey Pro (00000000000000000000864A) 00 00'
scdaemon[3115]: detected reader ''
Waiting for card for user `digital'...
Trying authentication as user `digital'...
scdaemon[3115]: DBG: asking for PIN '||Please unlock the card%0A%0ANumber: 0005 0000864A%0AHolder: digital '
Please unlock the card

Number: 0005 0000864A
Holder: digital
Please unlock the card

Number: 0005 0000864A
Holder: digital
Please unlock the card

Number: 0005 0000864A
Holder: digital
Please unlock the card

Number: 0005 0000864A
Holder: digital
Please unlock the card

Number: 0005 0000864A
Holder: digital scdaemon[3115]: PIN callback returned error: End of file
scdaemon[3115]: app_sign failed: End of file
scdaemon[3115]: Assuan processing failed: Broken pipe
scdaemon[3115]: SIGINT received - immediate shutdown
scdaemon[3115]: scdaemon (GnuPG) 2.2.15 stopped

Here is more information:

$ gpg2 --card-status
Reader ...........: Nitrokey Nitrokey Pro (00000000000000000000864A) 00 00
Application ID ...: D27600012401030300050000864A0000
Version ..........: 3.3
Manufacturer .....: ZeitControl
Serial number ....: 0000864A
Name of cardholder: digital
Language prefs ...: de
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: rsa4096 rsa4096 rsa4096
Max. PIN lengths .: 64 64 64
PIN retry counter : 3 0 3
Signature counter : 25
KDF setting ......: on
Signature key ....: 5C51 FB00 5CC3 28B9 E250  7E65 7899 DEC3 D585 EDAE
      created ....: 2019-05-13 13:27:27
Encryption key....: 10A0 3F63 FA81 F0C9 0743  D26A 323E 9731 EA08 5EA2
      created ....: 2019-05-13 13:28:03
Authentication key: F848 A723 115A 4D93 C058  CF50 FFF4 3613 8186 25A9
      created ....: 2019-05-13 13:28:39
General key info..: sub  rsa4096/7899DEC3D585EDAE 2019-05-13 digital <digital@dinid.net>
sec#  rsa4096/A0B8D7B3488EFED6  created: 2019-05-13  expires: never
ssb>  rsa4096/7899DEC3D585EDAE  created: 2019-05-13  expires: 2021-05-12
                                card-no: 0005 0000864A
ssb>  rsa4096/323E9731EA085EA2  created: 2019-05-13  expires: 2021-05-12
                                card-no: 0005 0000864A
ssb>  rsa4096/FFF43613818625A9  created: 2019-05-13  expires: 2021-05-12
                                card-no: 0005 0000864A
$ cat /etc/poldi/localdb/users
D27600012401030300050000864A0000 digital
$ cat /etc/poldi/localdb/keys/D27600012401030300050000864A0000
(public-key
 (rsa
  (n #00BC6CECC90DA5F329D215FDBF595C1A920374BD172271F394E138FE99C4E995A7ED536A8D79175C4C65D39071955779C181D85E5A86D9BCAE86BE11A742FD856FEB351
2C23911F932098165CDBD3FF0658C288FCC51BC9FF9BFD84E67AB83C3CAF508EC0B5CDC83179B2A781C0CA15A3BA9CF321F4ABD7E8DE234324536258D62D61AE0BF47C25BD776
02B4D0F107F653B706273C01856B885D27CD57F283BA75EC3AAE5BBB98BC393BCA7D605199070C339DCB4DD8D292160102841B9FCA4F26DED33E112B76BAA042BBD6F7E501E44
C020521E92BDD45B9BCC30A7FF840663C90E3C06C5EBA45BDF7A1046330A8ADF07CE8AFF141DD5B518F1915EEBF6527DEAD9F292FC16F6AE74E7CA275991487CAAF0575B594ED
00AF542B60892AA7A727AC77B566E454F6D19CA2D0614251ADB81685308104A297E7353F7489BC1CCADE673C04F1C344562B8514E395E06220595420EBFE5AD9EE11D92E29597
1A5D0D37E971A70828B8321914454B0890D824C1B69DA65CDF6CD15271E6143198E5816B3E22118854409B5898F5D0114CF4D58DA71F6630F87560042B1D863BA18EAAC2792A3
EA1CC696FDDB79F391ADFA3F04EAC97B851203C61898048CE1DEE1221CB1838358B98EE61FB84BB09AE8022C0AA618E95877FBE0EFD58F3E16BC25FCDDD799B089DC6785DCAF3
9B70F2C3EE1EAD7D1B5390F495D292EB25B32315B5C31#)
  (e #010001#)
  )
 )
$ cat /etc/pam.d/login
#%PAM-1.0

auth sufficient pam_poldi.so
auth       required     pam_securetty.so
auth       requisite    pam_nologin.so
auth       include      system-local-login
account    include      system-local-login
session    include      system-local-login

Hey,

as far as I can tell, the ‘login’ part is looking for /usr/lib/gnupg2 which just does not exist on Arch (as Arch is super cool and has always the newest stuff :heart_eyes:). You can do the following to get it working:

ln -s /usr/lib/gnupg /usr/lib/gnupg2

Or you file an issue at the corresponding package in Arch and asks for setting a link per default, as they are doing for /usr/bin/gpg2.

Having this set, putting in the correct PIN should work. You still do not get any feedback when typing though.

Kind regards
Alex

1 Like

That sounds good, but it doesn’t seem to change anything.

digital@love ~
$ file /usr/lib/gnupg2
/usr/lib/gnupg2: symbolic link to /usr/lib/gnupg
digital@love ~
$ ls -l /usr/lib/gnupg2/
total 1112
-rwxr-xr-x 1 root root  84504 Mar 26 21:02 dirmngr_ldap*
-rwxr-xr-x 1 root root 108760 Mar 26 21:02 gpg-check-pattern*
-rwxr-xr-x 1 root root  84216 Mar 26 21:02 gpg-preset-passphrase*
-rwxr-xr-x 1 root root 199384 Mar 26 21:02 gpg-protect-tool*
-rwxr-xr-x 1 root root 215896 Mar 26 21:02 gpg-wks-client*
-rwxr-xr-x 1 root root 438088 Mar 26 21:02 scdaemon*

Can you try log in into a TTY? I saw some error messages there which is why I was able to find out the issue for me. You may have a look if you are pinentry installed (might be necessary).

The same happens on a tty.

digital@love ~
$ pacman -Qs pinentry
local/pinentry 1.1.0-4
    Collection of simple PIN or passphrase entry dialogs which utilize the Assuan protocol
digital@love ~
$ pacman -Ql pinentry
pinentry /usr/
pinentry /usr/bin/
pinentry /usr/bin/pinentry
pinentry /usr/bin/pinentry-curses
pinentry /usr/bin/pinentry-emacs
pinentry /usr/bin/pinentry-gnome3
pinentry /usr/bin/pinentry-gtk-2
pinentry /usr/bin/pinentry-qt
pinentry /usr/bin/pinentry-tty
pinentry /usr/share/
pinentry /usr/share/info/
pinentry /usr/share/info/pinentry.info.gz

I am not sure what is the problem here. But at least I get a different output than you:

nitrokey@nitrokey-arch ~$ pam-test-poldi -u nitrokey login
Insert authentication card for user `nitrokey'
Trying authentication as user `nitrokey'...
Please unlock the card

Number: <serial>
Holder: <name>

You are right that I do not see what I type in and that the prompt is odd (as it just holds after the name). But beside that it works fine and I do not get any scdaemon output.

I use this configuration, somehow I feel like it could be connected, but I can not tell for sure.

ah it works for you, that is good to know.

I already have that configuration in place

$ cat ~/.gnupg/scdaemon.conf
pcsc-driver /usr/lib/libpcsclite.so
card-timeout 

hm, so you think for some reason pam doesn’t use pcscd but instead launches scdaemon?

I just realized the pcscd systemd service wasn’t enabled, Ooops!
after enabling and starting the service, I still see scdaemon messages when trying to log in.

Hi @digital!

Have you managed to set things up?

No, I have not and I’m still looking for help.

I am sorry for my late response, life is stressful currently.

Hi @digital

I am a bit of ideas here currently. I definitly can confirm, that it works generally (as I have the same system and have it working here), but I can’t tell what is working wrong for you :thinking:

You may post the content of ~/.gnupg/scdaemon.conf and ~/.gnupg/gpg-agent.conf

Kind regards
Alex

$ cat ~/.gnupg/scdaemon.conf
pcsc-driver /usr/lib/libpcsclite.so
card-timeout 5
disable-ccid

$ cat ~/.gnupg/gpg-agent.conf

# 32 minutes
default-cache-ttl 1920
# 128 minutes
max-cache-ttl 7680

enable-ssh-support

pinentry-timeout 32

# PIN entry program
# pinentry-program /usr/bin/pinentry-gtk-2
# pinentry-program /usr/bin/pinentry-gnome3
# pinentry-program /usr/bin/pinentry-qt
# pinentry-program /usr/bin/pinentry-curses
# pinentry-program /usr/bin/pinentry-kwallet

pinentry-program /usr/bin/pinentry-curses
pinentry-program /usr/bin/pinentry-tty

Hey,

I have compared with mine. Two notes

  • actually I realized that I did not use the libpcscliste.so option other than I stated above iirc. Sorry for that! So I do not have the lines pcsc-driver... and disable-ccid. You may try without. Again I am sorry for the confusion.
  • I did not and needn’t to define a pinentry-program. So you may comment this line too and try again.

I hope this help! :fist:

Kind regards
Alex