<!DOCTYPE html>
<html>
  <head>
    <meta http-equiv="content-type" content="text/html; charset=UTF-8">
  </head>
  <body>
    Hi,<br>
    <br>
    I'm trying to use my Yubikey with libpam-poldi to sudo on a Ubuntu
    based OS (Tuxedo OS).<br>
    <br>
    My card is working:<br>
    <br>
    $ gpg --card-status<br>
    <br>
    <span style="font-family:monospace"><span
        style="color:#000000;background-color:#ffffff;">Reader
        ...........: Yubico YubiKey OTP FIDO CCID 00 00</span><span
        style="color:#000000;background-color:#ffffff;"> </span><br>
      <span style="color:#000000;background-color:#ffffff;">Application
        ID ...: Dxxxxxxxxxxxxxxxxxxxxxxxxxxxx</span><br>
      <span style="color:#000000;background-color:#ffffff;">Application
        type .: OpenPGP</span><span
        style="color:#000000;background-color:#ffffff;"> </span><br>
      <span style="color:#000000;background-color:#ffffff;">Version
        ..........: 3.4</span><span
        style="color:#000000;background-color:#ffffff;"> </span><br>
      <span style="color:#000000;background-color:#ffffff;">Manufacturer
        .....: Yubico<br>
        [...]<br>
      </span><br>
    </span>When using pass password manager, I am asked for a PIN to
    unlock the card, touch it and I get my password unencrypted.<br>
    It also works with browserpass Firefox extension.<br>
    <br>
    So far so good.<br>
    <br>
    Now, I have setup libpam-poldi:<br>
    - created the /etc/poldi/localdb/users and linked my user with the
    Application ID<br>
    - created the /etc/poldi/localdb/keys/MyAppID file, with <br>
    <br>
    sudo sh -c 'gpg-connect-agent "/datafile
    /etc/poldi/localdb/keys/MyAppID" "SCD READKEY --advanced OPENPGP.3"
    /bye'<br>
    <br>
    My .gnupg/scdaemon.conf file looks like this:<br>
    <span style="font-family:monospace"><span
        style="color:#000000;background-color:#ffffff;">disable-ccid</span><br>
      <span style="color:#000000;background-color:#ffffff;"></span><br>
    </span>My /etc/pam.d/sudo and /etc/pam.d/sudo-i have    <span
      style="font-family:monospace"><span
        style="color:#000000;background-color:#ffffff;">auth sufficient
        pam_poldi.so</span><br>
      <span style="color:#000000;background-color:#ffffff;"></span><br>
    </span>And finally .gnupg/gpg-agent.conf looks like:<br>
    <span style="font-family:monospace"><span
        style="color:#000000;background-color:#ffffff;">pinentry-program
        /usr/bin/pinentry-qt</span><span
        style="color:#000000;background-color:#ffffff;"> </span><br>
      <span style="color:#000000;background-color:#ffffff;">debug-lvel 3</span><span
        style="color:#000000;background-color:#ffffff;"> </span><br>
      <span style="color:#000000;background-color:#ffffff;">enable-ssh-support</span><span
        style="color:#000000;background-color:#ffffff;"> </span><br>
      <span style="color:#000000;background-color:#ffffff;">ttyname
        $GPG_TTY</span><span
        style="color:#000000;background-color:#ffffff;"> </span><br>
      <span style="color:#000000;background-color:#ffffff;">default-cache-ttl
        60</span><span style="color:#000000;background-color:#ffffff;">
      </span><br>
      <span style="color:#000000;background-color:#ffffff;">max-cache-ttl
        120</span><br>
      <span style="color:#000000;background-color:#ffffff;"></span><br>
    </span><br>
    Nos, when I try to sudo, I am asked to insert my card, and asked for
    a password, but never for a PIN:<br>
    <br>
    <span style="font-family:monospace"><span
        style="font-weight:bold;color:#000000;background-color:#ffffff;">$</span><span
        style="color:#000000;background-color:#ffffff;"> sudo su</span><span
        style="color:#000000;background-color:#ffffff;"> </span><br>
      <span style="color:#000000;background-color:#ffffff;">Insert
        authentication card for user `franck'</span><span
        style="color:#000000;background-color:#ffffff;"> </span><br>
      <span style="color:#000000;background-color:#ffffff;">Trying
        authentication as user `franck'...</span><span
        style="color:#000000;background-color:#ffffff;"> </span><br>
      <span style="color:#000000;background-color:#ffffff;">[sudo]
        password for franck: </span><br>
      <span style="color:#000000;background-color:#ffffff;"></span><br>
    </span>Journalctl -f shows:<br>
    <span style="font-family:monospace"><span
        style="color:#000000;background-color:#ffffff;">gpg-agent[13666]:
        scdaemon[13666]: detected reader 'Yubico YubiKey OTP+FIDO+CCID
        00 00'</span><span
        style="color:#000000;background-color:#ffffff;"> </span><br>
      <span style="color:#000000;background-color:#ffffff;">gpg-agent[13666]:
        scdaemon[13666]: detected reader 'Yubico YubiKey OTP+FIDO+CCID
        00 00'</span><br>
      <span style="color:#000000;background-color:#ffffff;"> </span><br>
    </span>But I am never given the opportunity to unlock the card...<br>
    Any idea to fix or to troubleshoot this ?<br>
    <br>
    Thanks<br>
    Franck<br>
    <br>
    <br>
  </body>
</html>