From pam-pkcs11’s doc, I found that:
Starting at pam_pkcs11-0.4.2 a new feature is provided: pam-pkcs11 can deduce the username from the user certificate without using the login prompt.
And after I added “auth sufficient pam_pkcs11.so” in /etc/pam.d/gdm of redhat 7.5, I can use the feature about login auto-detect:
If a card is not present, “gdm” will prompt again for a user login
If a card is present, pam-pkcs11 will ask for the PIN, and then invoke finder in module mapper list. When a user is found, this user become the logged user
And since the default pam-pkcs11 for SLED 12 sp3 is pam_pkcs11 0.6.8-5.81. I think this feature is suppored in SLED 12 sp3 too. But even if I added “auth sufficient pam_pkcs11.so”, I can’t find this feature is enabled. Then how to enable Login auto-detect for PAM-PKCS11 in SLED 12 SP3? Thanks a lot.