Bug#1051785: gdm3 won't allow logins when a smartcard/yubikey is plugged
Marco Trevisan
marco at ubuntu.com
Thu Jun 12 15:12:15 BST 2025
Hi,
On giu 12 2025, at 3:18 pm, Simon McVittie <smcv at debian.org> wrote:
> On Thu, 12 Jun 2025 at 14:24:36 +0200, Raphael Hertzog wrote:
>> On Sat, 27 Jul 2024, Luca Boccassi wrote:
>>> I can confirm this works (I too have a yubikey with a cert for
>>> unrelated purposes).
>>
>> So we should deploy this by default IMO. I have setup a new computer
>> today and I have again been bitten by this issue. Increasing severity
>> to attract more eyes and maybe trigger an upload.
>
> As I said before, I'd prefer to have our expert on smart cards
> involved
> in this, rather than second-guessing his design.
>
> Marco: can we set
>
> [org/gnome/login-screen]
> enable-smartcard-authentication=false
>
> by default in /etc/gdm3/greeter.dconf-defaults? That would be one more
> thing that sysadmins have to adjust when they enrol smart cards for
> authentication, but it seems preferable to having Yubikey/Nitrokey
> users
> unable to log in by default.
In debian we actually have the `gdm-auth-config` that should allow to
manage this without having to handle this, it also allows to use distro
scripts (I did put one in our gdm's debian/* folder) that should handle
things, but it may need tunings since my testing was quite in the past
compared to when it landed upstream.
So... I feel that such tool should be instead used to setup things,
while it can be used by sysadmins quickly, in theory, to enable it back
More information about the pkg-gnome-maintainers
mailing list