** Description changed: [ Impact ] the pam profile for gdm-smartcard is missing. gdm refuses to login with a smartcard. Looking at ubuntu/+source/gdm3, other pam files are pregenerated into debian/ and installed from there; gdm-smartcard is left out. [ Test case ] 1. When in GDM, insert a smartcard 2. The GDM interface should require for an user 3. The user should be set (or empty may be provided, depending on sssd configuration) 4. The smartcard PIN should be requested and once introduce the user must login. Note that this requires configuring sssd before, a simple local configuration could require having sssd.conf filled with: ```ini [sssd] enable_files_domain = True services = pam [certmap/implicit_files/$USER] matchrule = <SUBJECT>.*YOUR CARD IDENTIFIER* [pam] pam_cert_auth = True ``` The UI authentication can also be simulated via pamtester: # Must be ran as user sudo apt install pamtester pamtester -v gdm-smartcard $USER authenticate Expected output is + pamtester -v gdm-smartcard ubuntu authenticate pamtester: invoking pam_start(gdm-smartcard, ubuntu, ...) pamtester: performing operation - authenticate PIN for Test Organization Sub Int Token: pamtester: successfully authenticated --- Alternatively, if no smartcard or hardware is available, this can be tested and simulated using these scripts (they will reset the system setup at each run, but it's suggested to run them in a VM, lxd container or in a test installation): - https://gist.github.com/3v1n0/287d02ca8e03936f1c7bba992173d47a + https://gist.github.com/3v1n0/287d02ca8e03936f1c7bba992173d47a - sudo apt install gdm3 pamtester softhsm2 openssl wget sssd gnutls-bin && \ - sudo apt-mark auto gdm3 pamtester softhsm2 openssl wget sssd gnutls-bin + sudo apt-mark auto gdm3 pamtester softhsm2 openssl wget sssd gnutls-bin - wget https://gist.github.com/3v1n0/287d02ca8e03936f1c7bba992173d47a/raw/sssd-gdm-smartcard-pam-auth-tester.sh - - sudo sssd-gdm-smartcard-pam-auth-tester.sh + - wget https://gist.github.com/3v1n0/287d02ca8e03936f1c7bba992173d47a/raw/sssd-softhism2-certificates-tests.sh + - sudo bash ./sssd-gdm-smartcard-pam-auth-tester.sh The script will generate some fake CA authority, issue some certificates, will install them in some software-based smartcards (using softhsm2) and test that they work properly to login with gdm-smartcard. Using `WAIT` environment variable set (to any value) will make it to restart gdm at each iteration so that an user can try to access, using the username that launched the script and the pin of 123456. [ Regression potential ] Smartcard authentication using custom methods using via a custom configured system nss database may not work anymore. --- ProblemType: BugDistroRelease: Ubuntu 18.04 Package: gdm3 3.28.3-0ubuntu18.04.4 ProcVersionSignature: Ubuntu 5.3.0-24.26~18.04.2-generic 5.3.10 Uname: Linux 5.3.0-24-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair nvidia_modeset nvidia ApportVersion: 2.20.9-0ubuntu7.11 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Fri Feb 28 14:30:30 2020 InstallationDate: Installed on 2016-05-23 (1376 days ago) InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1)SourcePackage: gdm3 UpgradeStatus: No upgrade log present (probably fresh install) mtime.conffile..etc.gdm3.Xsession: 2018-04-27T11:41:04.766901
-- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gdm3 in Ubuntu. https://bugs.launchpad.net/bugs/1865226 Title: gdm-smartcard pam config needs to be updated for Ubuntu and installed To manage notifications about this bug go to: https://bugs.launchpad.net/gnome-settings-daemon/+bug/1865226/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
