Problems using Nitrokey Pro for Linux pam authentication


My goal is to log into my arch linux computer by verifying to my nitrokey pro. I followed the docs but when I test the setup with pam-test-podi -u digital it does not work. the program waits for input at the “Holder: digital” line and the typed characters are not visible, however after I press enter the prompt just repeats. even if I enter an incorrect user pin, the pin retry counter on the nitrokey does not change. I can quit the program by pressing ctrl-c. it looks like this:

$ pam-test-poldi -u digital login
scdaemon[3115]: detected reader 'Nitrokey Nitrokey Pro (00000000000000000000864A) 00 00'
scdaemon[3115]: detected reader ''
Waiting for card for user `digital'...
Trying authentication as user `digital'...
scdaemon[3115]: DBG: asking for PIN '||Please unlock the card%0A%0ANumber: 0005 0000864A%0AHolder: digital '
Please unlock the card

Number: 0005 0000864A
Holder: digital
Please unlock the card

Number: 0005 0000864A
Holder: digital
Please unlock the card

Number: 0005 0000864A
Holder: digital
Please unlock the card

Number: 0005 0000864A
Holder: digital
Please unlock the card

Number: 0005 0000864A
Holder: digital scdaemon[3115]: PIN callback returned error: End of file
scdaemon[3115]: app_sign failed: End of file
scdaemon[3115]: Assuan processing failed: Broken pipe
scdaemon[3115]: SIGINT received - immediate shutdown
scdaemon[3115]: scdaemon (GnuPG) 2.2.15 stopped

Here is more information:

$ gpg2 --card-status
Reader ...........: Nitrokey Nitrokey Pro (00000000000000000000864A) 00 00
Application ID ...: D27600012401030300050000864A0000
Version ..........: 3.3
Manufacturer .....: ZeitControl
Serial number ....: 0000864A
Name of cardholder: digital
Language prefs ...: de
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: rsa4096 rsa4096 rsa4096
Max. PIN lengths .: 64 64 64
PIN retry counter : 3 0 3
Signature counter : 25
KDF setting ......: on
Signature key ....: 5C51 FB00 5CC3 28B9 E250  7E65 7899 DEC3 D585 EDAE
      created ....: 2019-05-13 13:27:27
Encryption key....: 10A0 3F63 FA81 F0C9 0743  D26A 323E 9731 EA08 5EA2
      created ....: 2019-05-13 13:28:03
Authentication key: F848 A723 115A 4D93 C058  CF50 FFF4 3613 8186 25A9
      created ....: 2019-05-13 13:28:39
General key info..: sub  rsa4096/7899DEC3D585EDAE 2019-05-13 digital <>
sec#  rsa4096/A0B8D7B3488EFED6  created: 2019-05-13  expires: never
ssb>  rsa4096/7899DEC3D585EDAE  created: 2019-05-13  expires: 2021-05-12
                                card-no: 0005 0000864A
ssb>  rsa4096/323E9731EA085EA2  created: 2019-05-13  expires: 2021-05-12
                                card-no: 0005 0000864A
ssb>  rsa4096/FFF43613818625A9  created: 2019-05-13  expires: 2021-05-12
                                card-no: 0005 0000864A
$ cat /etc/poldi/localdb/users
D27600012401030300050000864A0000 digital
$ cat /etc/poldi/localdb/keys/D27600012401030300050000864A0000
  (n #00BC6CECC90DA5F329D215FDBF595C1A920374BD172271F394E138FE99C4E995A7ED536A8D79175C4C65D39071955779C181D85E5A86D9BCAE86BE11A742FD856FEB351
  (e #010001#)
$ cat /etc/pam.d/login

auth sufficient
auth       required
auth       requisite
auth       include      system-local-login
account    include      system-local-login
session    include      system-local-login



as far as I can tell, the ‘login’ part is looking for /usr/lib/gnupg2 which just does not exist on Arch (as Arch is super cool and has always the newest stuff :heart_eyes:). You can do the following to get it working:

ln -s /usr/lib/gnupg /usr/lib/gnupg2

Or you file an issue at the corresponding package in Arch and asks for setting a link per default, as they are doing for /usr/bin/gpg2.

Having this set, putting in the correct PIN should work. You still do not get any feedback when typing though.

Kind regards


That sounds good, but it doesn’t seem to change anything.

digital@love ~
$ file /usr/lib/gnupg2
/usr/lib/gnupg2: symbolic link to /usr/lib/gnupg
digital@love ~
$ ls -l /usr/lib/gnupg2/
total 1112
-rwxr-xr-x 1 root root  84504 Mar 26 21:02 dirmngr_ldap*
-rwxr-xr-x 1 root root 108760 Mar 26 21:02 gpg-check-pattern*
-rwxr-xr-x 1 root root  84216 Mar 26 21:02 gpg-preset-passphrase*
-rwxr-xr-x 1 root root 199384 Mar 26 21:02 gpg-protect-tool*
-rwxr-xr-x 1 root root 215896 Mar 26 21:02 gpg-wks-client*
-rwxr-xr-x 1 root root 438088 Mar 26 21:02 scdaemon*


Can you try log in into a TTY? I saw some error messages there which is why I was able to find out the issue for me. You may have a look if you are pinentry installed (might be necessary).


The same happens on a tty.

digital@love ~
$ pacman -Qs pinentry
local/pinentry 1.1.0-4
    Collection of simple PIN or passphrase entry dialogs which utilize the Assuan protocol
digital@love ~
$ pacman -Ql pinentry
pinentry /usr/
pinentry /usr/bin/
pinentry /usr/bin/pinentry
pinentry /usr/bin/pinentry-curses
pinentry /usr/bin/pinentry-emacs
pinentry /usr/bin/pinentry-gnome3
pinentry /usr/bin/pinentry-gtk-2
pinentry /usr/bin/pinentry-qt
pinentry /usr/bin/pinentry-tty
pinentry /usr/share/
pinentry /usr/share/info/
pinentry /usr/share/info/


I am not sure what is the problem here. But at least I get a different output than you:

nitrokey@nitrokey-arch ~$ pam-test-poldi -u nitrokey login
Insert authentication card for user `nitrokey'
Trying authentication as user `nitrokey'...
Please unlock the card

Number: <serial>
Holder: <name>

You are right that I do not see what I type in and that the prompt is odd (as it just holds after the name). But beside that it works fine and I do not get any scdaemon output.

I use this configuration, somehow I feel like it could be connected, but I can not tell for sure.


ah it works for you, that is good to know.

I already have that configuration in place

$ cat ~/.gnupg/scdaemon.conf
pcsc-driver /usr/lib/

hm, so you think for some reason pam doesn’t use pcscd but instead launches scdaemon?

I just realized the pcscd systemd service wasn’t enabled, Ooops!
after enabling and starting the service, I still see scdaemon messages when trying to log in.