Ĩesky | english
PAM Authentication
Most linux systems heavily utilise the PAM framework for authentication, and PKI hardware via OpenSC can be utilised within PAM to allow you to use your PKI cards for console login in linux, which will save you needing to remember a lot of passwords across a lot of machines, or even GDM/xscreensaver to login to xwindows etc without needing to remember lengthy passwords but having greater security because it now requires a physical device to login as well. Due to the nature of PAM, you can require the PKI card to be present and disable passwords, or you can have the option of using PKI if available, and falling back to passwords as a last resort.
Before doing anything it's a good idea to setup the list of certificates that will be allowed to authenticate, otherwise you might lock yourself out of your system, which would be a bad thing
For each user you will need to run the following command for the allowed list of certificates:
mkdir ~username/.eid pkcs15-tool -r 45 > ~username/.eid/authorized_certificates chown -R username:username ~username/.eid
Next you will need to edit the file: /etc/pam.d/common-auth, by default it should look similar to what I have pasted below:
# # /etc/pam.d/common-auth - authentication settings common to all services # auth required pam_unix.so nullok_secure
To try your PKI hardware first, but fall back to passwords, change the common-auth file to look like:
# # /etc/pam.d/common-auth - authentication settings common to all services # auth sufficient pam_opensc.so auth required pam_unix.so nullok_secure
Or to only accept logins from PKI hardware
# # /etc/pam.d/common-auth - authentication settings common to all services # auth required pam_opensc.so