apt install -y opensc gdm3

Note: Make sure to select GDM as the default display manager, since this does not yet work with LightDM.

This assumes you have the pam_pkcs11.conf file in your home.

cp ~/pam_pkcs11.conf /etc/pam_pkcs11/

rmdir /etc/pam_pkcs11/cacerts

ln -s /usr/local/share/ca-certificates /etc/pam_pkcs11/cacerts

cd /etc/pam_pkcs11/cacerts; pkcs11_make_hash_link

We need to remove the pam_pkcs11 call from common-auth and add it to gdm-password so that SSH sessions can pass along without smartcard auth:

In /etc/pam.d/common-auth remove:

auth    [success=2 default=0]    pam_pkcs11.so

Add the following line to /etc/pam.d/gdm-password AFTER the @include common-auth line:

auth    [success=ok default=bad]    pam_pkcs11.so

Reboot the system and test!