PAM Authentication

Most linux systems heavily utilise the PAM framework for authentication, and PKI hardware via OpenSC can be utilised within PAM to allow you to use your PKI cards for console login in linux, which will save you needing to remember a lot of passwords across a lot of machines, or even GDM/xscreensaver to login to xwindows etc without needing to remember lengthy passwords but having greater security because it now requires a physical device to login as well. Due to the nature of PAM, you can require the PKI card to be present and disable passwords, or you can have the option of using PKI if available, and falling back to passwords as a last resort.

Before doing anything it's a good idea to setup the list of certificates that will be allowed to authenticate, otherwise you might lock yourself out of your system, which would be a bad thing :)

For each user you will need to run the following command for the allowed list of certificates:

mkdir ~username/.eid
pkcs15-tool -r 45 > ~username/.eid/authorized_certificates
chown -R username:username ~username/.eid

Next you will need to edit the file: /etc/pam.d/common-auth, by default it should look similar to what I have pasted below:

#
# /etc/pam.d/common-auth - authentication settings common to all services
#
auth    required        pam_unix.so nullok_secure

To try your PKI hardware first, but fall back to passwords, change the common-auth file to look like:

#
# /etc/pam.d/common-auth - authentication settings common to all services
#
auth    sufficient      pam_opensc.so
auth    required        pam_unix.so nullok_secure

Or to only accept logins from PKI hardware

#
# /etc/pam.d/common-auth - authentication settings common to all services
#
auth    required        pam_opensc.so