Unable to use Nitrokey Pro as device for Ubuntu login

Hey guys,
I am using Nitrokey Pro for a long time now for smartcard logon on Win10, PGP mail encryption and as a password safe.
I switched from Win10 to Ubuntu recently and wanted to set up smartcard login for Ubuntu, meaning that I provide my Nitrokey and a PIN instead of my complex password.
I followed this article: Applications | Nitrokey

In general, it worked fine.
gpg --card-status | grep Application shows this output:

Application ID …: D27600012401030300050000xxxxxxxx
Application type .: OpenPGP

I then added the AppID to /etc/poldi/localdb/users as described.

But executing the command “sudo sh -c ‘gpg-connect-agent “/datafile /etc/poldi/localdb/keys/D27600012401030300050000xxxxxxxx” “SCD READKEY --advanced OPENPGP.3” /bye’” throws this error:

ERR 100696144 No such device

In the article it says that you can try “poldi-ctrl -k > ; sudo mv /etc/poldi/localdb/keys” instead, but since the developer of poldi decided to don’t support this command anymore, it is not available.

Now I am stuck - can anyone help or did anyone had the same issues and a workaround?
Thanks in advance!

No one?
Maybe a statement from official Nitrokey support?

Can you try with the pcscd service stopped? It may lock the smart card access. The command is:

sudo systemctl stop pcscd pcscd.socket

Thanks for the reply.
Tried that, same result.

User started scdaemon can lock the smart card too, so one might not have access through sudo here as well. Since 2.3.0 GnuPG is sharing the connection with the pcscd (or actually proxing it through), and such problems should not occur anymore.

  1. Can you check your GnuPG version? Can you upgrade it?

  2. Can you try to run it without sudo? E.g. something like:

    gpg-connect-agent "LEARN --sendinfo"

    For me this works without sudo, and fails otherwise.

In the login screen access errors probably will not happen, as the user environment is not started yet, though I have not tested this with my current setup.

gpg (GnuPG) 2.2.19
libgcrypt 1.8.5

But well, without sudo it seemed to work or - better said - another error message appears.
Now it says: ERR 100663305 No public key


The keyrings are separate for each user, meaning the public key has to be installed for each of them.
I would expect though you have it already - have you generated the key on the root account?

Anyway, my understanding is that once you get the ID for the poldi, you will have it working finally. That seems to leave us with:

  1. Importing the public key to the user account
  2. Running sh -c ‘gpg-connect-agent “/datafile /etc/poldi/localdb/keys/D27600012401030300050000xxxxxxxx” “SCD READKEY --advanced OPENPGP.3” /bye’
  3. Following further steps as in article: configure PAM, etc.

Ok, finally it worked now.
The issue (from my point of view) was that I initially created the poldi datafile with sudo.
From that point on, the key was bound to sudo, not my regular user.

I deleted the poldi datafile (/etc/poldi/localdb/keys/D2…" and gave my regular user owner right for this dir. I then executed the command without sudo, which worked.

After configuring PAM the smartcard gets recognized and after providing the PIN login works fine.
Thanks for you help, the tip with/without sudo did it :wink: