it needs current opensc trunk with latest libp11 to compile.
but the result is independent of opensc and should work with
any other pkcs#11 implementation, too.
actualy two modules are compilied: pam_p11_opensc and pam_p11_openssh.
the first uses the .eid/authorized_certificates the later
.ssh/authorized_keys to decide whether or not you are allowed
to log in.
the code is nice and small, but needs some clean ups, additional
sanity checks, etc. but it works for me. there is no config file
and no options are supported at all - you need to pass the pkcs11
module as first parameter.
certificates are used like blobs: no further checks are done,
no check for ca signatures, revocation lists or anything like that.
but: it works fine for me and should be ok as replacement for
pam_opensc in eid mode.
please test and let me know if you have any problem.
I'd like to remove pam_opensc, scldap, sia and related
code from opensc soon, as it is buggy and pam_p11 plus pam_pkcs11
should be fine as replacements.