apt install -y opensc gdm3
Note: Make sure to select GDM as the default display manager, since this does not yet work with LightDM.
This assumes you have the pam_pkcs11.conf file in your home.
cp ~/pam_pkcs11.conf /etc/pam_pkcs11/
rmdir /etc/pam_pkcs11/cacerts
ln -s /usr/local/share/ca-certificates /etc/pam_pkcs11/cacerts
cd /etc/pam_pkcs11/cacerts; pkcs11_make_hash_link
We need to remove the pam_pkcs11 call from common-auth and add it to gdm-password so that SSH sessions can pass along without smartcard auth:
In /etc/pam.d/common-auth remove:
auth [success=2 default=0] pam_pkcs11.so
Add the following line to /etc/pam.d/gdm-password AFTER the @include common-auth line:
auth [success=ok default=bad] pam_pkcs11.so
Reboot the system and test!