Bug#1051659: gdm3 45 does not detect users correctly with Yubikey connected
Simon McVittie
smcv at debian.org
Sun Sep 17 13:03:30 BST 2023
Control: retitle -1 gdm3 45 does not detect users correctly with Yubikey connected
Control: severity -1 important
On Sat, 16 Sep 2023 at 21:29:14 -0400, terroreek wrote:
> The issue seems to be having my Yubikey plugged in when GDM starts its looking
> for pam_sss.so. If the pam module is missing one cannot login interactively.
> I will try installing libpam-sss, to see if that revolves the issue. However
> it can be fixed by removing my yubikey and plug it in after logging into gdm.
This is probably the same bug as #1051785, which is a regression in
gdm3 version 45. If I understand correctly, this version integrated some
changes that were previously in Ubuntu, aiming to improve the ability to
use smartcards for authentication with gdm; but those changes go too far,
and break the ability to do non-smartcard authentication if related
PAM modules are not installed.
gdm should only do this if it can work: if the relevant PAM module
(pam_sss.so) is installed, and if the user/sysadmin has also configured
smartcard-based identities so that they can log in like this.
If you run as root
update-alternatives --set gdm-smartcard /etc/pam.d/gdm-smartcard-sssd-or-password
does that restore previous functionality?
Marco: I think we should set the alternatives priority of
gdm-smartcard-sssd-or-password higher than gdm-smartcard-sssd-exclusive
in debian/gdm3.alternatives, unless there is a reason I'm not seeing
why that isn't viable.
smcv
More information about the pkg-gnome-maintainers
mailing list