Can't login when smart card is plugged in

Hello,

I am running the latest version of Zorin Pro (16.2), and if I reboot while I have a smart card plugged in, I can't get back in with my regular user account.

Instead of displaying my user account as an option, I get asked for a username instead, and when I type it, I see the "Sorry, smart card authentication didn't work. Please try again". I also see the back arrow to the left of the username input text box, but upon clicking nothing really happens.

Does anybody know how I can get around this without unplugging and plugging the card every time I need to reboot?

Much appreciated!

Please see this post on Smart Card authentication:

1 Like

Thank you. This article you linked, however, seems to contain instructions to enable smart card login, which is not what I am asking for (pretty much the opposite). The login screen of Zorin, when the card is plugged in, is not allowing me to login as my regular user. I'd like for it to ignore the presence of the smart card and let me log in like I would without it.

1 Like

It appears I am misunderstanding this issue...
If you authenticate the card as your user, should it not stop try ask for authentication for the smart card?

Here's the scenario:

  1. Plugin smart card to computer;
  2. Reboot the computer;
  3. Zorin login screen appears;
  4. I am asked to enter a username instead of picking one from the list;
  5. I enter my username;
  6. It says that it can't log me in because the smart card authentication did not work;
  7. I am presented with 4 again.

Right now the only solution is to unplug the smart card and reboot the computer. If I do that, I can login fine with my user.

What I am asking is: how do I avoid #4 in the above scenario? I'd like to just pick my user even though my smart card is plugged in... I want the login screen to completely ignore the smart card and allow me to log in as if it were unplugged.

I see... What if you disable the autosync of the card, so that it only syncs when you want it to?

sudo mv /etc/xdg/autostart/org.gnome.SettingsDaemon.Smartcard.desktop /etc/xdg/autostart/org.gnome.SettingsDaemon.Smartcard.desktop-bk

sudo rm -rf /usr/share/gnome-session/sessions/gnome-login.session

For this next one, check that the file exists by navigating to the file location in your file manager...

sudo rm -rf /usr/share/gnome-session/sessions/zorin.session

If you get an "Oh No! Something has gone wrong" error (grrr. Gnome...), just use the grub menu to go to Advanced Options for Zorin > Recovery Menu - Drop to Prompt, then rename the above file back to as it was:

sudo mv /etc/xdg/autostart/org.gnome.SettingsDaemon.Smartcard.desktop-bk /etc/xdg/autostart/org.gnome.SettingsDaemon.Smartcard.desktop

Thank you. Will doing this still allow me to use the smartcard after logging in?

Reason I ask is because I still need the smart card, I just don't want the login screen to care about it and to have it let me log in normally...

Yes, the idea is that it does not autosync. You must manually sync in order to use the smart card.

The above is a procedure that I have never personally performed and certainly not on Gnome Desktop... So please proceed carefully and cautiously.
Make full backups just in case you find yourself fighting frustration.

Thank you! When you say "manually sync", what do you mean exactly? Do I have to run terminal commands (after logging in) in order to "manually sync"?

Yes, you would need to manually start it, since it was not automatically started. I am not sure how to do that, since I have never done it.
That is one of the reasons I advised moving slowly and cautiously above - this is new territory for me, too.
That said...
You did not the below, earlier, right?

Map certificate names to login
This PAM module allows certificates to be used for login, though our Linux system needs to know the username. The pam_pkcs11 module provides a variety of cert mappers to do this. Each cert mapper uses specific information from the certificate to map to a user on the system. The different cert mappers may even be stacked. In other words, if the first defined mapper fails to map to a user on the system, the next one will be tried, and so on until a user is found.
For the purposes of this guide, we will use the pwent mapper. This mapper uses the getpwent() system call to examine the pw_name and pw_gecos fields of every user for a match to the CN name. If either matches, the pw_name is returned as the login name. Next, it matches this result to the PAM login name to determine if a match was found or not. Set pwent as the mapper in the pam_pkcs11.conf file by modifying the existing entry:

use_mappers = pwent;

I must wonder if you only need the card mapped to your Zorin User Login.

Would be possible that accessing with the smart card plugged and active network you get requested by security setting to access the pc? A kind of smart access that maybe you set on your Google account or similar, can be? I mean, the card is plugged, you're online and so the system waits for the card password.

No Aravisian, I haven't tried yet, because I want to make sure I understand what I am doing before executing any command, as this computer I use for my work and I can't risk it blowing up.

Luca, I don't have any google nor any other account set up. I just need the login manager to ignore my smart card during the login process. That's all. After the login, the smart card should be detected and used. I'd like for this to be an automated process instead of unplugging and plugging it back every time I need to reboot (which is multiple times per day).

What if Automatic login is enabled (on Settings > Users)? It shouldn't ask anything after restaring the pc next times, just load the desktop and it's done, one day I was wondering why Zorin wasn't asking me my password and I saw Automatic login was enabled so since when I disabled it I'm asked for password, maybe works for the username request, too. Another explanation could be that the smart card reader is starting because is set on Removable devices to start itself as soon as plugged.

1 Like

I will give it a shot with automatic login. Thank you!

2 Likes