pam_pkcs11 appears to need explicit configuration to use hardware tokens which are already present in the system p11-kit configuration. We should probably ship with a default configuration that uses p11-kit-proxy.so (or p11-kit directly). Also, perhaps the configuration file should accept standard PKCS#11 URIs for things like 'slot_description'.
There is a possibility that generic NSS fixes could address much of the problem here. Those are discussed in bug 1173577.
The use of p11-kit should be done through NSS generic, since pam_pkcs11 is an NSS app.
Yes, that's one alternative. But another, if NSS isn't going to get fixed in the short term, is to build pam_pkcs11 against OpenSSL and explicitly load p11-kit-proxy.so. Or to continue building against NSS and explicitly load p11-kit-proxy.so perhaps, as long as we can be sure it doesn't conflict with however NSS *will* eventually get fixed to load the p11-kit configured modules. So unless the fixes for NSS are forthcoming, I think it is worth having a separate bug for pam_pkcs11, as we do have options for fixing it "locally".
I suppose within Fedora we can be sure to update pam_pkcs11 to remove any workaround, when NSS gets fixed. So perhaps the way to close this bug in the short term is just to fix the configuration. Just make it load p11-kit-proxy.so either explicitly in pam_pkcs11.conf or by ensuring it's referenced in in /etc/pki/nssdb and using that with 'module="any module"'.
I'm pretty unlikely to switch pam_pkcs11 off of NSS;). The other stuff are fixes to either nss or pk11-kit.
Fixing NSS definitely works for me. Do you have thoughts on how best to do that? A number of options have been put forward...