Opengpg smartcard with lightdm an truecrypt

Detlev Reymann detlev at reymann.eu
Sat Feb 1 17:58:23 CET 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

I recently bought a Opengpg smartcard, version 2.0 and managed to use
it on two computers running Ubuntu 12.10 and Ubuntu 13.04.

After reading nearly all informations I found in the internet it is
possible to use it for ssh, for gpg (in combination with thunderbird
and enigmail) and (partly) for log in.

Two problems are left and it would be great to get some hints from the
community.

First problem is log-in with lightdm. I installed pam_poldi and
changed the file /etc/pam.d/lightdm to look like this:

- -----/etc/pam.d/lightdm---------------
#%PAM-1.0
auth    requisite       pam_nologin.so
auth    required        pam_env.so readenv=1
auth    required        pam_env.so readenv=1 envfile=/etc/default/locale
auth    sufficient      pam_succeed_if.so user ingroup nopasswdlogin
auth    sufficient      pam_poldi.so try-pin 123456
auth    required        pam_unix.so nullok_secure
@include common-account
session [success=ok ignore=ignore module_unknown=ignore default=bad]
pam_selinux.so close
session required        pam_limits.so
@include common-session
session [success=ok ignore=ignore module_unknown=ignore default=bad]
pam_selinux.so open
session optional        pam_gnome_keyring.so auto_start
@include common-password
- --------------------------------------

The changes compared with the original file are the lines:
auth    sufficient      pam_poldi.so try-pin 123456 (not the real pin :-))
auth    required        pam_unix.so nullok_secure
instead of:
@include common-auth

I expected that lightdm would first try to read the smartcard and
possibly fall back to password login.

What happens instead is, that after a long while it asks for the pin
of the smartcard and then additionally for the password.

I do not find any information on the internet how to change this. So
this is only partially successful.

Second problem is the use of the smartcard (with a keyfile) and
truecrypt (version 7.0a)

Using the library /usr/lib/opensc-pkcs11.so as PKCS#11 Library Path
leads to an error message saying:

"No security token found. Please make sure your security token is
connected to your computer and the correct
device driver for your token is installed."

Using libOpenPGP11_64.so (or libOpenPGP11_32.so, which I found on
http://smartcard-auth.de/download-de.html gives an other error message:

"Security token error:
DEVICE REMOVED"

This happens always, even if I kill the pgp-agent before (this is
necessary, when I switch to my HBCI-Smartcard (German
online-banking-smartcard) or whatever else.

Any hint would be great; thanks in advance

Detlev
- -- 
Detlev Reymann
detlev at reymann.eu
http://www.reymann.eu

Diese Nachricht ist elektronisch mit GPG signiert. Wenn Sie nicht mit
entsprechender Software arbeiten, ignorieren Sie bitte den
entsprechenden Abschnitt dieser Mail einfach.

This mail is signed electronically via gpg. If you do not use
encryption software, simply ignore the additional part of this mail
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJS7SeoAAoJEM6JTkpQd1J1X/YH/3FnvAGdZOg3SGlwao+zh4Ns
hAj3oxC0U0cAgtGobW0/TV1PMxGuFRSaInLTwlJ6VzOnZ4fYb65lF74ZCz4AVLLh
dZxEF1qoCCN45AR9XTZ8DVmoqxvUv9rGR9ePuAeEhB3zJFAQEkQ+J1YQoGtx9kR6
Y5uxtDSKUWlNNl84HMKrXewKfA96AFLcSDFDw2FijlSmTEOWvpdzma5fI4R2VSoh
+WWSgFbvn/X6o4mIr0Lw9htfYN4trO7YngRcw3/fLqF1Up8j0qdm6wKTKdBjAN0k
c6Ogx7fLE9cCddnV4YHmGpJeNiBjbosNyxHW3pjeI3YU8N4LnI4OP0F9rOHkIM0=
=i4cq
-----END PGP SIGNATURE-----

More information about the Gnupg-users mailing list