Unable to use Nitrokey Pro as device for Ubuntu login

haui2903 · August 9, 2021, 8:01am

Hey guys,
I am using Nitrokey Pro for a long time now for smartcard logon on Win10, PGP mail encryption and as a password safe.
I switched from Win10 to Ubuntu recently and wanted to set up smartcard login for Ubuntu, meaning that I provide my Nitrokey and a PIN instead of my complex password.
I followed this article: Nitrokey Documentation

In general, it worked fine.
gpg --card-status | grep Application shows this output:

Application ID …: D27600012401030300050000xxxxxxxx
Application type .: OpenPGP

I then added the AppID to /etc/poldi/localdb/users as described.

But executing the command “sudo sh -c ‘gpg-connect-agent “/datafile /etc/poldi/localdb/keys/D27600012401030300050000xxxxxxxx” “SCD READKEY --advanced OPENPGP.3” /bye’” throws this error:

ERR 100696144 No such device

In the article it says that you can try “poldi-ctrl -k > ; sudo mv /etc/poldi/localdb/keys” instead, but since the developer of poldi decided to don’t support this command anymore, it is not available.

Now I am stuck - can anyone help or did anyone had the same issues and a workaround?
Thanks in advance!
Haui

haui2903 · August 16, 2021, 8:33am

No one?
Maybe a statement from official Nitrokey support?

szszszsz · August 16, 2021, 9:47am

Hi!
Can you try with the pcscd service stopped? It may lock the smart card access. The command is:

sudo systemctl stop pcscd pcscd.socket

haui2903 · August 16, 2021, 10:24am

Thanks for the reply.
Tried that, same result.

szszszsz · August 16, 2021, 11:47am

User started scdaemon can lock the smart card too, so one might not have access through sudo here as well. Since 2.3.0 GnuPG is sharing the connection with the pcscd (or actually proxing it through), and such problems should not occur anymore.

Can you check your GnuPG version? Can you upgrade it?
Can you try to run it without sudo? E.g. something like:
```
gpg-connect-agent "LEARN --sendinfo"
```
For me this works without sudo, and fails otherwise.

In the login screen access errors probably will not happen, as the user environment is not started yet, though I have not tested this with my current setup.

haui2903 · August 16, 2021, 1:32pm

gpg (GnuPG) 2.2.19
libgcrypt 1.8.5

But well, without sudo it seemed to work or - better said - another error message appears.
Now it says: ERR 100663305 No public key

Ideas?

szszszsz · August 17, 2021, 9:28am

The keyrings are separate for each user, meaning the public key has to be installed for each of them.
I would expect though you have it already - have you generated the key on the root account?

Anyway, my understanding is that once you get the ID for the poldi, you will have it working finally. That seems to leave us with:

Importing the public key to the user account
Running sh -c ‘gpg-connect-agent “/datafile /etc/poldi/localdb/keys/D27600012401030300050000xxxxxxxx” “SCD READKEY --advanced OPENPGP.3” /bye’
Following further steps as in article: configure PAM, etc.

haui2903 · August 18, 2021, 8:40am

Ok, finally it worked now.
The issue (from my point of view) was that I initially created the poldi datafile with sudo.
From that point on, the key was bound to sudo, not my regular user.

I deleted the poldi datafile (/etc/poldi/localdb/keys/D2…" and gave my regular user owner right for this dir. I then executed the command without sudo, which worked.

After configuring PAM the smartcard gets recognized and after providing the PIN login works fine.
Thanks for you help, the tip with/without sudo did it