No PIN asked for with libpam-poldi
Franck Routier (Personnel)
alci at mecadu.org
Fri Nov 7 11:43:58 CET 2025
Hi,
I'm trying to use my Yubikey with libpam-poldi to sudo on a Ubuntu based
OS (Tuxedo OS).
My card is working:
$ gpg --card-status
Reader ...........: Yubico YubiKey OTP FIDO CCID 00 00
Application ID ...: Dxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Application type .: OpenPGP
Version ..........: 3.4
Manufacturer .....: Yubico
[...]
When using pass password manager, I am asked for a PIN to unlock the
card, touch it and I get my password unencrypted.
It also works with browserpass Firefox extension.
So far so good.
Now, I have setup libpam-poldi:
- created the /etc/poldi/localdb/users and linked my user with the
Application ID
- created the /etc/poldi/localdb/keys/MyAppID file, with
sudo sh -c 'gpg-connect-agent "/datafile
/etc/poldi/localdb/keys/MyAppID" "SCD READKEY --advanced OPENPGP.3" /bye'
My .gnupg/scdaemon.conf file looks like this:
disable-ccid
My /etc/pam.d/sudo and /etc/pam.d/sudo-i have auth sufficient pam_poldi.so
And finally .gnupg/gpg-agent.conf looks like:
pinentry-program /usr/bin/pinentry-qt
debug-lvel 3
enable-ssh-support
ttyname $GPG_TTY
default-cache-ttl 60
max-cache-ttl 120
Nos, when I try to sudo, I am asked to insert my card, and asked for a
password, but never for a PIN:
$sudo su
Insert authentication card for user `franck'
Trying authentication as user `franck'...
[sudo] password for franck:
Journalctl -f shows:
gpg-agent[13666]: scdaemon[13666]: detected reader 'Yubico YubiKey
OTP+FIDO+CCID 00 00'
gpg-agent[13666]: scdaemon[13666]: detected reader 'Yubico YubiKey
OTP+FIDO+CCID 00 00'
But I am never given the opportunity to unlock the card...
Any idea to fix or to troubleshoot this ?
Thanks
Franck
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20251107/69d23db0/attachment.html>
More information about the Gnupg-users
mailing list