We need to add to the documentation that you need to disable the account checks when you are using the automatic smart card connection feature. Several distributions create a PAM configuration where it will try to validate the account using the card DN (which of course fails).
On CentOS 6, it was necessary to add "broken_shadow" after the pam_unix account line.
(In reply to comment #1) > On CentOS 6, it was necessary to add "broken_shadow" after the pam_unix account > line. This is also a valid fix for Ubuntu 12.04
To clarify: What you need to do on most systems is to disable the account checks in /etc/pam.d/sshd Example: --- /etc/pam.d/sshd.old 2016-02-11 15:57:26.139521826 +0100 +++ /etc/pam.d/sshd 2016-02-11 12:42:14.950118283 +0100 @@ -4,6 +4,7 @@ auth include postlogin # Used with polkit to reauthorize users in remote sessions -auth optional pam_reauthorize.so prepare +account sufficient pam_permit.so account required pam_nologin.so account include password-auth password include password-auth
*** Bug 3117 has been marked as a duplicate of this bug. ***
