Bug#1051785: gdm3 won't allow logins when a smarcard with a x.509 credential is plugged in

Paul Tagliamonte paultag at gmail.com
Tue Sep 12 15:52:16 BST 2023 

Subject: gdm3 won't allow logins when a smarcard with a x.509 credential is plugged in
Package: gdm3
Version: 45~beta-1
Severity: important
thanks

Hey GNOME maintainers,

I upgraded my sid system, and post-upgrade gdm3 isn't showing my face
when I reboot, and entering my username causes it to loop back to
username entry again (no password prompt). After some help from smcv, I
narrowed down the issue to the interactions between my smartcard
development tools installed locally and gdm3.

The journal shows the following output:

| Sep 12 10:18:47 nyx gdm-launch-environment][1851]: pam_unix(gdm-launch-environment:session): session opened for user Debian-gdm(uid=116) by (uid=0)
| Sep 12 10:18:49 nyx gdm-smartcard][2749]: PAM unable to dlopen(pam_sss.so): /lib/security/pam_sss.so: cannot open shared object file: No such file or directory
| Sep 12 10:18:49 nyx gdm-smartcard][2749]: PAM adding faulty module: pam_sss.so
| Sep 12 10:19:02 nyx gdm-smartcard][2749]: gkr-pam: no password is available for user
| Sep 12 10:19:02 nyx gdm-smartcard][3505]: PAM unable to dlopen(pam_sss.so): /lib/security/pam_sss.so: cannot open shared object file: No such file or directory
| Sep 12 10:19:02 nyx gdm-smartcard][3505]: PAM adding faulty module: pam_sss.so
| Sep 12 10:19:03 nyx gdm-smartcard][3505]: gkr-pam: no password is available for user
| Sep 12 10:19:03 nyx gdm-smartcard][3512]: PAM unable to dlopen(pam_sss.so): /lib/security/pam_sss.so: cannot open shared object file: No such file or directory
| Sep 12 10:19:03 nyx gdm-smartcard][3512]: PAM adding faulty module: pam_sss.so
| Sep 12 10:19:33 nyx gdm-smartcard][4045]: PAM unable to dlopen(pam_sss.so): /lib/security/pam_sss.so: cannot open shared object file: No such file or directory
| Sep 12 10:19:33 nyx gdm-smartcard][4045]: PAM adding faulty module: pam_sss.so
| Sep 12 10:19:34 nyx gdm-smartcard][4045]: gkr-pam: no password is available for user
| Sep 12 10:19:34 nyx gdm-smartcard][4237]: PAM unable to dlopen(pam_sss.so): /lib/security/pam_sss.so: cannot open shared object file: No such file or directory
| Sep 12 10:19:34 nyx gdm-smartcard][4237]: PAM adding faulty module: pam_sss.so

(I do not have libpam-sss installed - after I got this error I installed
 it to see if I could unlock myself, but it didn't do much and I purged
 it again).

I have not configured my machine to use gdm-smartcard (nor do I want
to); but I do have a lot of smartcard stuff installed due to other hobby
work. I have NSS set up to talk with OpenSC, but that's only for TLS
keying material via GNOME, not system login.

When I unplugged my Yubikey which is both WebAuthN and a x.509
Smartcard, I was able to log in as usual.

My hunch is that I believe gdm-smartcard thinks it's supposed to kick
into gear and authenticate my smartcard, but it isn't configured to do
so (heck, it hasn't been told how to match my UPN/Email
SAN/Subject/Serial to UID, nor an x.509 CA to use for user
authentication). However, it kicking into gear has kicked me out of my
ability to login :)

I suspect the fix here is to explicitly toggle on gdm-smartcard when it's
properly configured, rather than implicitly running when the right deps
are installed and an x509 cert is found on an OpenSC token when it can't
properly authenticate it.

Fondly,
  paultag


-- System Information:
Debian Release: trixie/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.4.0-4-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages gdm3 depends on:
ii  accountsservice                        23.13.9-4
ii  adduser                                3.137
ii  cool-retro-term [x-terminal-emulator]  1.2.0+ds2-1+b1
ii  dbus [default-dbus-system-bus]         1.14.10-1
ii  dbus-bin                               1.14.10-1
ii  dbus-daemon                            1.14.10-1
ii  dconf-cli                              0.40.0-4
ii  dconf-gsettings-backend                0.40.0-4
ii  debconf [debconf-2.0]                  1.5.82
ii  foot [x-terminal-emulator]             1.15.3-1
ii  gir1.2-gdm-1.0                         45~beta-1
ii  gnome-session [x-session-manager]      44.0-4
ii  gnome-session-bin                      44.0-4
ii  gnome-session-common                   44.0-4
ii  gnome-settings-daemon                  45~rc-1
ii  gnome-shell                            44.4-1
ii  gnome-terminal [x-terminal-emulator]   3.49.99-1
ii  gsettings-desktop-schemas              45~rc-1
ii  libaccountsservice0                    23.13.9-4
ii  libaudit1                              1:3.1.1-1
ii  libc6                                  2.37-8
ii  libcanberra-gtk3-0                     0.30-10
ii  libcanberra0                           0.30-10
ii  libgdk-pixbuf-2.0-0                    2.42.10+dfsg-1+b1
ii  libgdm1                                45~beta-1
ii  libglib2.0-0                           2.78.0-1
ii  libglib2.0-bin                         2.78.0-1
ii  libgtk-3-0                             3.24.38-5
ii  libgudev-1.0-0                         238-2
ii  libkeyutils1                           1.6.3-2
ii  libpam-modules                         1.5.2-7
ii  libpam-runtime                         1.5.2-7
ii  libpam-systemd [logind]                254.1-3
ii  libpam0g                               1.5.2-7
ii  librsvg2-common                        2.54.7+dfsg-2
ii  libselinux1                            3.5-1
ii  libsystemd0                            254.1-3
ii  libx11-6                               2:1.8.6-1
ii  libxau6                                1:1.0.9-1
ii  libxcb1                                1.15-1
ii  libxdmcp6                              1:1.1.2-3
ii  polkitd                                123-1
ii  procps                                 2:4.0.3-1
ii  systemd-sysv                           254.1-3
ii  ucf                                    3.0043+nmu1
ii  x11-common                             1:7.7+23
ii  x11-xserver-utils                      7.7+9+b1
ii  xfce4-session [x-session-manager]      4.18.3-1
ii  xfwm4 [x-window-manager]               4.18.0-1
ii  xterm [x-terminal-emulator]            384-1

Versions of packages gdm3 recommends:
ii  at-spi2-core                       2.49.91-2
ii  desktop-base                       12.0.6+nmu1
ii  gnome-session [x-session-manager]  44.0-4
ii  x11-xkb-utils                      7.7+7
ii  xfce4-session [x-session-manager]  4.18.3-1
ii  xserver-xephyr                     2:21.1.8-1
ii  xserver-xorg                       1:7.7+23
ii  zenity                             3.44.2-1

Versions of packages gdm3 suggests:
pn  libpam-fprintd        <none>
ii  libpam-gnome-keyring  42.1-1+b2
pn  libpam-pkcs11         <none>
pn  libpam-sss            <none>
ii  orca                  44.1-2

-- debconf information excluded
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnome-maintainers/attachments/20230912/88519ebb/attachment.sig>

More information about the pkg-gnome-maintainers mailing list