Closed c3ph3us closed 5 years ago
I'll check the code today...
As I can see, the "2320: wrong smartcard PIN" error is only happens when the card (token) login fails. Note, that when you set nullok
the PAM module really tries to login with the empty PIN and the card may not accept it. So, check your token/card.
Seems to be closed now. Feel free to reopen once you've got new info about the problem.
@wolneykien yes but without nullok (as i understand allow to check by smardcard against empty pin) the pam_pkcs11 also is not going to pam_unix (password) instead is forcing to enter login ... and cicle is closing - only when there is no smardcard the i can use password .. which options in stack need i use to go down in stack ? sufficient is not working ....
optional?
with above config when i hit enter i get 2318 x 3 then auth ends with failure
Hi! I suppose, the card_only = false
option in pam_pkcs11.conf
is the one you are looking for. With this option it is possible to go to the next PAM module by ignore
status as follows:
auth [success=done ignore=ignore default=die] pam_pkcs11.so
auth requisite pam_succeed_if.so user ingroup wheel
auth include system-auth-local
where system-auth-local
is the standard system authentication stack (i.e. local password authentication). Using pam_succeed_if.so
is optional, of course.
pam_pkcs11.txt
some time ago everything was fine :) but now i need to pull my yubikey to login via pam because when i hit enter [as empty pin] for pin aut which is a fist method in auth-common stack the pam module logs me out!!!!
1) why the new mechanism doesn't fall back to default password auth method (for empty pin) 2) and where i can change this to previous behavior for password fallback ? (this is a "must have option" as i use encryption of user home and for login and unwrapp passphrase i need user password when i first login into my account - and no pin solution)
error 2318 - empty smartcard pin not allowed
i have also tried to add nullok
error 2320 - wrong smartcard pin
where do i need setup and which correct option ?
config attached