Bug#1051785: gdm3 won't allow logins when a smartcard/yubikey is plugged
Simon McVittie
smcv at debian.org
Thu Jun 12 15:40:04 BST 2025
On Thu, 12 Jun 2025 at 16:12:15 +0200, Marco Trevisan wrote:
>On giu 12 2025, at 3:18 pm, Simon McVittie <smcv at debian.org> wrote:
>In debian we actually have the `gdm-auth-config` that should allow to
>manage this without having to handle this, it also allows to use distro
>scripts (I did put one in our gdm's debian/* folder) that should handle
>things, but it may need tunings since my testing was quite in the past
>compared to when it landed upstream.
>
>So... I feel that such tool should be instead used to setup things,
>while it can be used by sysadmins quickly, in theory, to enable it back
Are you aware of the issue reported as #1051785?
The short version is that the default configuration of gdm is such that,
if a user has a smart card (e.g. Yubikey) plugged in, but *has not*
enrolled it for smartcard authentication, then gdm doesn't work as
intended for ordinary username/password authentication. This seems bad.
It's great that there are tools available to partially or fully automate
smartcard authentication setup, but if the sysadmin has not done any
setup or enrolled any smart cards, the default needs to be something
where ordinary username/password authentication still works. I don't
want to undo your hard work on this, but we do need the common case to
be reliable.
smcv
More information about the pkg-gnome-maintainers
mailing list