Bug#1051785: gdm3 won't allow logins when a smartcard/yubikey is plugged
Simon McVittie
smcv at debian.org
Thu Jul 10 15:16:32 BST 2025
On Thu, 10 Jul 2025 at 14:12:20 +0100, Simon McVittie wrote:
>Workarounds and possible solutions
>==================================
>
>enable-smartcard-authentication=false
...
>This is the brute-force approach that makes sure password
>authentication definitely always works as expected, at the cost of
>completely disabling smartcard support.
>Use gdm-smartcard-sssd-or-password by default
...
>The GNOME team could change gdm3 to swap the alternatives priority of
>/etc/pam.d/gdm-smartcard-sssd-exclusive (currently 50) and
>/etc/pam.d/gdm-smartcard-sssd-or-password (currently 40) so that the
>latter becomes the new default. If we do, the cost is that sysadmins
>who want to forbid password authentication will have to adjust the
>alternatives to use /etc/pam.d/gdm-smartcard-sssd-exclusive (or
>/etc/pam.d/gdm-smartcard-pkcs11-exclusive) instead.
Both of these are implemented in
<https://salsa.debian.org/gnome-team/gdm/-/merge_requests/30>. We should
either choose one of them and revert the other, or do both, or do some
fourth thing that I am not clever enough to think of instead.
Feedback welcome on which one we should prefer, especially from Marco.
smcv
More information about the pkg-gnome-maintainers
mailing list