I finally upgraded to 22.04 and the workaround in my previous message is now also no longer working for me, though it had been in 21.04. Had to remove the YubiKey to log in.
My new workaround is to add an option to the gdm-smartcard alternatives configuration that's just password, no smartcard. I added the final 2 lines in the file here: $ cat /var/lib/dpkg/alternatives/gdm-smartcard manual /etc/pam.d/gdm-smartcard /etc/pam.d/gdm-smartcard-pkcs11-exclusive 30 /etc/pam.d/gdm-smartcard-sssd-exclusive 50 /etc/pam.d/gdm-smartcard-sssd-or-password 40 /etc/pam.d/gdm-password 60 $ Now I choose that option using the same command as my previous workaround: $ sudo update-alternatives --config gdm-smartcard There are 4 choices for the alternative gdm-smartcard (providing /etc/pam.d/gdm-smartcard). Selection Path Priority Status ------------------------------------------------------------ 0 /etc/pam.d/gdm-password 60 auto mode 1 /etc/pam.d/gdm-smartcard-pkcs11-exclusive 30 manual mode 2 /etc/pam.d/gdm-smartcard-sssd-exclusive 50 manual mode 3 /etc/pam.d/gdm-smartcard-sssd-or-password 40 manual mode * 4 /etc/pam.d/gdm-password 60 manual mode Press <enter> to keep the current choice[*], or type selection number: 4 $ This is slightly more dangerous than the previous workaround as you may mess up your gdm login completely if you edit the file incorrectly but removing the YubiKey should default you back to just password so you'll be able to fix it. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-shell in Ubuntu. https://bugs.launchpad.net/bugs/1933027 Title: Gdm3 with smartcard asks for login/smartcard pin even if there is no smartcard authentication enabled Status in gdm3 package in Ubuntu: Confirmed Status in gnome-shell package in Ubuntu: Fix Released Bug description: I use my Ubuntu PC with Yubikey almost always plugged in. It provides several security token interfaces, such as U2F, GPG smartcard, proprieritary Yubico interfaces (of which I mostly use TOTP codes), and also PIV smartcard. However, I haven't configured a PIV smartcard on it. Whenever I login into the system having Yubikey plugged in, I'm prompted for login name, and then for PIN for some smartcard while also being asked to plug in one. This is very misleading on several layers: 1. I have the device providing smartcard plugged id, 2. But it's not the smartcard GDM would think it is as it's not configured properly, 3. There are no local smartcard-authenticating users right now in the system, 3. There are no remote authentication systems configured on the system (so no ActiveDirectory-smartcard logins or such). If I unplug the token UX goes back on old good track. Given the circumstances above, I'd consider that GDM (and, on my bet, any PAM configuration it uses) shouldn't offer to login using smartcard if there is no way to actually do so. I feel something is off here, so I'm reporting a bug. It could be an upstream problem though; it also could be an upstream SSSD problem, or all combined. I believe there is a more clear user experience: 1. GDM should display users that can login into the system, as it always does (if configured). It may also provide entering other login name (also if configured). This is GDM usually does without smartcards altogether. 2. When user is chosen (from the list or manually typed in), check can this user even authenticate with smartcards (i.e. if any of available smartcards is actually recognised for this user). If so, then ask for PIN. Else, don't show anything about smartcards at all (this includes when SSSD is not configured for any AD or related and this user has no local smartcard configuration). This can switch there & back based on device events. I've seen other OS doing this. Ubuntu/Gnome session doesn't ask me for PIN for a smartcard on a lock screen, so I guess it doesn't support it at all or correctly finds out it can't be used. Even more, I couldn't find a way to actually add my smartcard as a local login method. ProblemType: Bug DistroRelease: Ubuntu 21.04 Package: gdm3 3.38.2.1-2ubuntu1 ProcVersionSignature: Ubuntu 5.11.0-18.19-generic 5.11.17 Uname: Linux 5.11.0-18-generic x86_64 NonfreeKernelModules: nvidia_modeset nvidia ApportVersion: 2.20.11-0ubuntu65.1 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: ubuntu:GNOME Date: Sun Jun 20 14:02:02 2021 InstallationDate: Installed on 2017-03-05 (1567 days ago) InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1) ProcEnviron: TERM=tmux-256color PATH=(custom, no user) XDG_RUNTIME_DIR=<set> LANG=ru_RU.UTF-8 SHELL=/bin/bash SourcePackage: gdm3 UpgradeStatus: Upgraded to hirsute on 2021-05-13 (37 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gdm3/+bug/1933027/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
