Bug#1051785: gdm3 won't allow logins when a smarcard with a x.509 credential is plugged in

Raphael Hertzog hertzog at debian.org
Thu Sep 14 10:25:57 BST 2023 

Hello,

On Tue, 12 Sep 2023, Paul Tagliamonte wrote:
> I upgraded my sid system, and post-upgrade gdm3 isn't showing my face
> when I reboot, and entering my username causes it to loop back to
> username entry again (no password prompt). After some help from smcv, I
> narrowed down the issue to the interactions between my smartcard
> development tools installed locally and gdm3.

In my case, I don't have any "smartcard development tools" (at least not
on purpose), I just have a smartcard inserted with a single GPG key used
for "authentication" (i.e. mainly for SSH logins).

$ gpg --card-status 
Reader ...........: Alcor Micro AU9540 00 00
Application ID ...: D2760001240102010005000040DD0000
Application type .: OpenPGP
Version ..........: 2.1
Manufacturer .....: ZeitControl
[...]
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: 1CAC 8718 CAA0 C7B9 1EC0  E907 F1CA EE10 6CE6 97F8
      created ....: 2022-01-19 08:31:51

> (I do not have libpam-sss installed - after I got this error I installed
>  it to see if I could unlock myself, but it didn't do much and I purged
>  it again).

At least after I installed libpam-sss, I got an error message asking me
to introduce another smartcard so we could indeed figure out that it was
related to the smartcard.

> My hunch is that I believe gdm-smartcard thinks it's supposed to kick
> into gear and authenticate my smartcard, but it isn't configured to do
> so (heck, it hasn't been told how to match my UPN/Email
> SAN/Subject/Serial to UID, nor an x.509 CA to use for user
> authentication). However, it kicking into gear has kicked me out of my
> ability to login :)

That's likely due to the fact that gdm-smartcard required dependencies
(at least libpam-sss) were missing. So yeah it seems like that
gdm-smartcard should have a better failure mode when its prerequisites are
missing.

Putting here the reportbug generated info for the computer where I
experienced the issue:

Debian Release: trixie/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'stable-security'), (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 6.4.0-4-amd64 (SMP w/16 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages gdm3 depends on:
ii  accountsservice                       23.13.9-4
ii  adduser                               3.137
ii  dbus [default-dbus-system-bus]        1.14.10-1
ii  dbus-bin                              1.14.10-1
ii  dbus-daemon                           1.14.10-1
ii  dconf-cli                             0.40.0-4
ii  dconf-gsettings-backend               0.40.0-4
ii  debconf [debconf-2.0]                 1.5.82
ii  gir1.2-gdm-1.0                        45~beta-1
ii  gnome-session [x-session-manager]     44.0-4
ii  gnome-session-bin                     44.0-4
ii  gnome-session-common                  44.0-4
ii  gnome-settings-daemon                 45~rc-1
ii  gnome-shell                           44.4-1
ii  gnome-terminal [x-terminal-emulator]  3.49.99-1
ii  gsettings-desktop-schemas             45~rc-1
ii  libaccountsservice0                   23.13.9-4
ii  libaudit1                             1:3.1.1-1
ii  libc6                                 2.37-7
ii  libcanberra-gtk3-0                    0.30-10
ii  libcanberra0                          0.30-10
ii  libgdk-pixbuf-2.0-0                   2.42.10+dfsg-1+b1
ii  libgdm1                               45~beta-1
ii  libglib2.0-0                          2.78.0-1
ii  libglib2.0-bin                        2.78.0-1
ii  libgtk-3-0                            3.24.38-5
ii  libgudev-1.0-0                        237-2
ii  libkeyutils1                          1.6.3-2
ii  libpam-modules                        1.5.2-7
ii  libpam-runtime                        1.5.2-7
ii  libpam-systemd [logind]               254.1-3
ii  libpam0g                              1.5.2-7
ii  librsvg2-common                       2.54.7+dfsg-2
ii  libselinux1                           3.5-1
ii  libsystemd0                           254.1-3
ii  libx11-6                              2:1.8.6-1
ii  libxau6                               1:1.0.9-1
ii  libxcb1                               1.15-1
ii  libxdmcp6                             1:1.1.2-3
ii  metacity [x-window-manager]           1:3.49.1-1
ii  mutter [x-window-manager]             44.4-2
ii  polkitd                               123-1
ii  procps                                2:4.0.3-1
ii  systemd-sysv                          254.1-3
ii  ucf                                   3.0043+nmu1
ii  x11-common                            1:7.7+23
ii  x11-xserver-utils                     7.7+9+b1
ii  xterm [x-terminal-emulator]           384-1

Versions of packages gdm3 recommends:
ii  at-spi2-core                       2.49.91-2
ii  desktop-base                       12.0.6+nmu1
ii  gnome-session [x-session-manager]  44.0-4
ii  x11-xkb-utils                      7.7+7
ii  xserver-xephyr                     2:21.1.8-1
ii  xserver-xorg                       1:7.7+23
ii  zenity                             3.44.2-1

Versions of packages gdm3 suggests:
pn  libpam-fprintd        <none>
ii  libpam-gnome-keyring  42.1-1+b2
pn  libpam-pkcs11         <none>
pn  libpam-sss            <none>
ii  orca                  44.1-2

Cheers,
-- 
  ⢀⣴⠾⠻⢶⣦⠀   Raphaël Hertzog <hertzog at debian.org>
  ⣾⠁⢠⠒⠀⣿⡁
  ⢿⡄⠘⠷⠚⠋    The Debian Handbook: https://debian-handbook.info/get/
  ⠈⠳⣄⠀⠀⠀⠀   Debian Long Term Support: https://deb.li/LTS

More information about the pkg-gnome-maintainers mailing list