Package: libpam-p11 Version: 0.1.3-2 I have a Cryptoflex eGate. Storing a raw RSA private key on this card automatically creates the corresponding public key object. So X.509 certificate is created unless you explicitly create one and store it in the device itself.
Using pamp11_openssh, no certificate should be needed, because there is no certificate to check -- we're just doing raw public key access. However, if i try to use this device without a certificate on it, authentication fails, and i get the following notes in /var/log/auth.log: Dec 21 20:52:35 pip login[4308]: pam_p11_openssh(login:auth): no certificates found Dec 21 20:52:38 pip login[4308]: FAILED LOGIN (2) on 'tty1' FOR `dkg', Authentication service cannot retrieve authentication info If i add a certificate created over the same key, i'm able to authenticate. This certificate is superfluous, and shouldn't be necessary -- the pam module should be able to query the related raw public keys on the card if such things exist, and use those instead. OpenSSH's smartcard support (not enabled in debian) has a related bug, which might be worth reading if only for its similarity: https://bugzilla.mindrot.org/show_bug.cgi?id=1498 Thanks for maintaining pam-p11 in debian! --dkg
signature.asc
Description: OpenPGP digital signature
