Poldi example usage of gpg-connect-agent fails

Franck Routier (perso) alci at mecadu.org
Fri Sep 8 11:00:31 CEST 2017


Hi, and thank you for your help,


Le 07/09/2017 à 08:06, Alexander Paetzelt | Nitrokey a écrit :
> I got this working some weeks ago for testing purposes. I did what's
> written here
>
> https://www.nitrokey.com/documentation/applications#p:nitrokey-pro&os:linux&a:computer-login 
>
>
> Why do you think, poldi-ctrl is not there for 0.4? I used 0.4.1 and had
> it (on ArchLinux though). You may have to use root rights to use 
> poldi-ctrl?
In fact poldi-ctrl is not included in the debian/ubuntu package.

The NEWS file in /usr/share/doc/libpam-poldi even states, at the very 
beginning:

"Changes since version 0.4.1:

* poldi-ctrl is removed
   Please use gpg-connect-agent instead."

That said, I could compile poldi-ctrl from source to get the config file 
I needed.
The steps I followed are:
$ git clone https://github.com/chrisboyle/poldi.git
$ sudo apt install libgpg-error-dev
$ sudo apt install libpam0g-dev
$ sudo apt install libgcrypt20-dev
$ ./configure;make

then poldi-ctrl is in poldi/src/ctrl/poldi-ctrl

I had to stop the running scdaemon to get it working, and poldi-ctrl -k 
finally gave me the right incantations.

So I now have it running. Now, the Debian packager, and even the upstram 
doc writer seem to think I should use gpg-agent...

So, anyone has an idea about why this fails:

$ gpg-connect-agent "/datafile myfile" "SCD READKEY --advanced 
OPENPGP.3" /bye

ERR 100663414 Identifiant incorrect <SCD>

Regards,
Franck

>
> Kind regards
> Alex
>
>
> On 09/06/2017 11:30 AM, Franck Routier (perso) wrote:
>> Hi,
>>
>> I am trying to get into smartcard usage, and would want to allow
>> Authentication on my system with an OpenPGP Card (FSFE Fellowship
>> smartcard).
>>
>> As I understand it (I might be wrong), the right pam module is Poldi.
>>
>> According to the Texinfo page (info poldi), current version is 0.4,
>> and lacks the previous poldi-ctrl utility, so I have to create some
>> config file manually.
>>
>> Specifically, here is the example that is given:
>>
>>
>>     First, the system administrator has to associate the user moritz 
>> with
>> the card's serial number:
>>
>>       $ echo "D2760001240101010001000006550000 moritz" >>
>> /etc/poldi/localdb/users
>>
>>     Second, the system administrator needs to write the card's key 
>> into a
>> card-specific key file.  Therefore he inserts Moritz' smartcard and
>> executes:
>>
>>       $ gpg-connect-agent "/datafile
>> /etc/poldi/localdb/keys/D2760001240101010001000006550000" "SCD READKEY
>> --advanced OPENPGP.3" /bye
>>
>>
>> My problem is that the command  gpg-connect-agent "/datafile myfile"
>> "SCD READKEY --advanced OPENPGP.3" /bye returns an error:
>>
>> ERR 100663414 Identifiant incorrect <SCD>
>>
>>
>> Can anyone help me on this ? (or is there a better way to authenticate
>> using an OpenPGP smartcard ?) (or is it just a bad idea ?)
>>
>> Thanks in advance
>>
>> Franck
>>
>>
>> _______________________________________________
>> Gnupg-users mailing list
>> Gnupg-users at gnupg.org
>> http://lists.gnupg.org/mailman/listinfo/gnupg-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20170908/19851ffc/attachment-0001.html>


More information about the Gnupg-users mailing list