[Desktop-packages] [Bug 1933027] Re: Gdm3 with smartcard asks for login/smartcard pin even if there is no smartcard authentication enabled
By default GDM switches to smartcard mode once one is plugged in, smartcard auth can be disabled at gdm level though, by changing the gsettings. sudo -u gdm env -u XDG_RUNTIME_DIR -u DISPLAY DCONF_PROFILE=gdm dbus-run-session \ gsettings set org.gnome.login-screen enable-smartcard-authentication false -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-shell in Ubuntu. https://bugs.launchpad.net/bugs/1933027 Title: Gdm3 with smartcard asks for login/smartcard pin even if there is no smartcard authentication enabled Status in gdm3 package in Ubuntu: Confirmed Status in gnome-shell package in Ubuntu: Confirmed Bug description: I use my Ubuntu PC with Yubikey almost always plugged in. It provides several security token interfaces, such as U2F, GPG smartcard, proprieritary Yubico interfaces (of which I mostly use TOTP codes), and also PIV smartcard. However, I haven't configured a PIV smartcard on it. Whenever I login into the system having Yubikey plugged in, I'm prompted for login name, and then for PIN for some smartcard while also being asked to plug in one. This is very misleading on several layers: 1. I have the device providing smartcard plugged id, 2. But it's not the smartcard GDM would think it is as it's not configured properly, 3. There are no local smartcard-authenticating users right now in the system, 3. There are no remote authentication systems configured on the system (so no ActiveDirectory-smartcard logins or such). If I unplug the token UX goes back on old good track. Given the circumstances above, I'd consider that GDM (and, on my bet, any PAM configuration it uses) shouldn't offer to login using smartcard if there is no way to actually do so. I feel something is off here, so I'm reporting a bug. It could be an upstream problem though; it also could be an upstream SSSD problem, or all combined. I believe there is a more clear user experience: 1. GDM should display users that can login into the system, as it always does (if configured). It may also provide entering other login name (also if configured). This is GDM usually does without smartcards altogether. 2. When user is chosen (from the list or manually typed in), check can this user even authenticate with smartcards (i.e. if any of available smartcards is actually recognised for this user). If so, then ask for PIN. Else, don't show anything about smartcards at all (this includes when SSSD is not configured for any AD or related and this user has no local smartcard configuration). This can switch there & back based on device events. I've seen other OS doing this. Ubuntu/Gnome session doesn't ask me for PIN for a smartcard on a lock screen, so I guess it doesn't support it at all or correctly finds out it can't be used. Even more, I couldn't find a way to actually add my smartcard as a local login method. ProblemType: Bug DistroRelease: Ubuntu 21.04 Package: gdm3 3.38.2.1-2ubuntu1 ProcVersionSignature: Ubuntu 5.11.0-18.19-generic 5.11.17 Uname: Linux 5.11.0-18-generic x86_64 NonfreeKernelModules: nvidia_modeset nvidia ApportVersion: 2.20.11-0ubuntu65.1 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: ubuntu:GNOME Date: Sun Jun 20 14:02:02 2021 InstallationDate: Installed on 2017-03-05 (1567 days ago) InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1) ProcEnviron: TERM=tmux-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=ru_RU.UTF-8 SHELL=/bin/bash SourcePackage: gdm3 UpgradeStatus: Upgraded to hirsute on 2021-05-13 (37 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gdm3/+bug/1933027/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1933027] Re: Gdm3 with smartcard asks for login/smartcard pin even if there is no smartcard authentication enabled
** Tags added: mantic -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-shell in Ubuntu. https://bugs.launchpad.net/bugs/1933027 Title: Gdm3 with smartcard asks for login/smartcard pin even if there is no smartcard authentication enabled Status in gdm3 package in Ubuntu: Confirmed Status in gnome-shell package in Ubuntu: Confirmed Bug description: I use my Ubuntu PC with Yubikey almost always plugged in. It provides several security token interfaces, such as U2F, GPG smartcard, proprieritary Yubico interfaces (of which I mostly use TOTP codes), and also PIV smartcard. However, I haven't configured a PIV smartcard on it. Whenever I login into the system having Yubikey plugged in, I'm prompted for login name, and then for PIN for some smartcard while also being asked to plug in one. This is very misleading on several layers: 1. I have the device providing smartcard plugged id, 2. But it's not the smartcard GDM would think it is as it's not configured properly, 3. There are no local smartcard-authenticating users right now in the system, 3. There are no remote authentication systems configured on the system (so no ActiveDirectory-smartcard logins or such). If I unplug the token UX goes back on old good track. Given the circumstances above, I'd consider that GDM (and, on my bet, any PAM configuration it uses) shouldn't offer to login using smartcard if there is no way to actually do so. I feel something is off here, so I'm reporting a bug. It could be an upstream problem though; it also could be an upstream SSSD problem, or all combined. I believe there is a more clear user experience: 1. GDM should display users that can login into the system, as it always does (if configured). It may also provide entering other login name (also if configured). This is GDM usually does without smartcards altogether. 2. When user is chosen (from the list or manually typed in), check can this user even authenticate with smartcards (i.e. if any of available smartcards is actually recognised for this user). If so, then ask for PIN. Else, don't show anything about smartcards at all (this includes when SSSD is not configured for any AD or related and this user has no local smartcard configuration). This can switch there & back based on device events. I've seen other OS doing this. Ubuntu/Gnome session doesn't ask me for PIN for a smartcard on a lock screen, so I guess it doesn't support it at all or correctly finds out it can't be used. Even more, I couldn't find a way to actually add my smartcard as a local login method. ProblemType: Bug DistroRelease: Ubuntu 21.04 Package: gdm3 3.38.2.1-2ubuntu1 ProcVersionSignature: Ubuntu 5.11.0-18.19-generic 5.11.17 Uname: Linux 5.11.0-18-generic x86_64 NonfreeKernelModules: nvidia_modeset nvidia ApportVersion: 2.20.11-0ubuntu65.1 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: ubuntu:GNOME Date: Sun Jun 20 14:02:02 2021 InstallationDate: Installed on 2017-03-05 (1567 days ago) InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1) ProcEnviron: TERM=tmux-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=ru_RU.UTF-8 SHELL=/bin/bash SourcePackage: gdm3 UpgradeStatus: Upgraded to hirsute on 2021-05-13 (37 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gdm3/+bug/1933027/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1933027] Re: Gdm3 with smartcard asks for login/smartcard pin even if there is no smartcard authentication enabled
I ran into this on a work machine today. I'd installed scdaemon, gnupg- pkcs11-scd, opensc-pkcs11, and pcsc-tools. One of these is what triggered the behavior - removing them restored normal login behavior. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-shell in Ubuntu. https://bugs.launchpad.net/bugs/1933027 Title: Gdm3 with smartcard asks for login/smartcard pin even if there is no smartcard authentication enabled Status in gdm3 package in Ubuntu: Confirmed Status in gnome-shell package in Ubuntu: Confirmed Bug description: I use my Ubuntu PC with Yubikey almost always plugged in. It provides several security token interfaces, such as U2F, GPG smartcard, proprieritary Yubico interfaces (of which I mostly use TOTP codes), and also PIV smartcard. However, I haven't configured a PIV smartcard on it. Whenever I login into the system having Yubikey plugged in, I'm prompted for login name, and then for PIN for some smartcard while also being asked to plug in one. This is very misleading on several layers: 1. I have the device providing smartcard plugged id, 2. But it's not the smartcard GDM would think it is as it's not configured properly, 3. There are no local smartcard-authenticating users right now in the system, 3. There are no remote authentication systems configured on the system (so no ActiveDirectory-smartcard logins or such). If I unplug the token UX goes back on old good track. Given the circumstances above, I'd consider that GDM (and, on my bet, any PAM configuration it uses) shouldn't offer to login using smartcard if there is no way to actually do so. I feel something is off here, so I'm reporting a bug. It could be an upstream problem though; it also could be an upstream SSSD problem, or all combined. I believe there is a more clear user experience: 1. GDM should display users that can login into the system, as it always does (if configured). It may also provide entering other login name (also if configured). This is GDM usually does without smartcards altogether. 2. When user is chosen (from the list or manually typed in), check can this user even authenticate with smartcards (i.e. if any of available smartcards is actually recognised for this user). If so, then ask for PIN. Else, don't show anything about smartcards at all (this includes when SSSD is not configured for any AD or related and this user has no local smartcard configuration). This can switch there & back based on device events. I've seen other OS doing this. Ubuntu/Gnome session doesn't ask me for PIN for a smartcard on a lock screen, so I guess it doesn't support it at all or correctly finds out it can't be used. Even more, I couldn't find a way to actually add my smartcard as a local login method. ProblemType: Bug DistroRelease: Ubuntu 21.04 Package: gdm3 3.38.2.1-2ubuntu1 ProcVersionSignature: Ubuntu 5.11.0-18.19-generic 5.11.17 Uname: Linux 5.11.0-18-generic x86_64 NonfreeKernelModules: nvidia_modeset nvidia ApportVersion: 2.20.11-0ubuntu65.1 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: ubuntu:GNOME Date: Sun Jun 20 14:02:02 2021 InstallationDate: Installed on 2017-03-05 (1567 days ago) InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1) ProcEnviron: TERM=tmux-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=ru_RU.UTF-8 SHELL=/bin/bash SourcePackage: gdm3 UpgradeStatus: Upgraded to hirsute on 2021-05-13 (37 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gdm3/+bug/1933027/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1933027] Re: Gdm3 with smartcard asks for login/smartcard pin even if there is no smartcard authentication enabled
** Changed in: gnome-shell (Ubuntu) Status: Fix Released => Confirmed -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-shell in Ubuntu. https://bugs.launchpad.net/bugs/1933027 Title: Gdm3 with smartcard asks for login/smartcard pin even if there is no smartcard authentication enabled Status in gdm3 package in Ubuntu: Confirmed Status in gnome-shell package in Ubuntu: Confirmed Bug description: I use my Ubuntu PC with Yubikey almost always plugged in. It provides several security token interfaces, such as U2F, GPG smartcard, proprieritary Yubico interfaces (of which I mostly use TOTP codes), and also PIV smartcard. However, I haven't configured a PIV smartcard on it. Whenever I login into the system having Yubikey plugged in, I'm prompted for login name, and then for PIN for some smartcard while also being asked to plug in one. This is very misleading on several layers: 1. I have the device providing smartcard plugged id, 2. But it's not the smartcard GDM would think it is as it's not configured properly, 3. There are no local smartcard-authenticating users right now in the system, 3. There are no remote authentication systems configured on the system (so no ActiveDirectory-smartcard logins or such). If I unplug the token UX goes back on old good track. Given the circumstances above, I'd consider that GDM (and, on my bet, any PAM configuration it uses) shouldn't offer to login using smartcard if there is no way to actually do so. I feel something is off here, so I'm reporting a bug. It could be an upstream problem though; it also could be an upstream SSSD problem, or all combined. I believe there is a more clear user experience: 1. GDM should display users that can login into the system, as it always does (if configured). It may also provide entering other login name (also if configured). This is GDM usually does without smartcards altogether. 2. When user is chosen (from the list or manually typed in), check can this user even authenticate with smartcards (i.e. if any of available smartcards is actually recognised for this user). If so, then ask for PIN. Else, don't show anything about smartcards at all (this includes when SSSD is not configured for any AD or related and this user has no local smartcard configuration). This can switch there & back based on device events. I've seen other OS doing this. Ubuntu/Gnome session doesn't ask me for PIN for a smartcard on a lock screen, so I guess it doesn't support it at all or correctly finds out it can't be used. Even more, I couldn't find a way to actually add my smartcard as a local login method. ProblemType: Bug DistroRelease: Ubuntu 21.04 Package: gdm3 3.38.2.1-2ubuntu1 ProcVersionSignature: Ubuntu 5.11.0-18.19-generic 5.11.17 Uname: Linux 5.11.0-18-generic x86_64 NonfreeKernelModules: nvidia_modeset nvidia ApportVersion: 2.20.11-0ubuntu65.1 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: ubuntu:GNOME Date: Sun Jun 20 14:02:02 2021 InstallationDate: Installed on 2017-03-05 (1567 days ago) InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1) ProcEnviron: TERM=tmux-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=ru_RU.UTF-8 SHELL=/bin/bash SourcePackage: gdm3 UpgradeStatus: Upgraded to hirsute on 2021-05-13 (37 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gdm3/+bug/1933027/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1933027] Re: Gdm3 with smartcard asks for login/smartcard pin even if there is no smartcard authentication enabled
Update: a workaround to recover the "gdm user chooser" is to avoid the smartcard support from launching, which can be done editing this file /etc/xdg/autostart/org.gnome.SettingsDaemon.Smartcard.desktop comment out the existing "Exec" line, and add a new one pointing to this harmless do-nothing binary, /usr/bin/true The chooser now works. Still wondering how is it that 22.04 was working with no problem with my yubikey always plugged since June till November -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-shell in Ubuntu. https://bugs.launchpad.net/bugs/1933027 Title: Gdm3 with smartcard asks for login/smartcard pin even if there is no smartcard authentication enabled Status in gdm3 package in Ubuntu: Confirmed Status in gnome-shell package in Ubuntu: Fix Released Bug description: I use my Ubuntu PC with Yubikey almost always plugged in. It provides several security token interfaces, such as U2F, GPG smartcard, proprieritary Yubico interfaces (of which I mostly use TOTP codes), and also PIV smartcard. However, I haven't configured a PIV smartcard on it. Whenever I login into the system having Yubikey plugged in, I'm prompted for login name, and then for PIN for some smartcard while also being asked to plug in one. This is very misleading on several layers: 1. I have the device providing smartcard plugged id, 2. But it's not the smartcard GDM would think it is as it's not configured properly, 3. There are no local smartcard-authenticating users right now in the system, 3. There are no remote authentication systems configured on the system (so no ActiveDirectory-smartcard logins or such). If I unplug the token UX goes back on old good track. Given the circumstances above, I'd consider that GDM (and, on my bet, any PAM configuration it uses) shouldn't offer to login using smartcard if there is no way to actually do so. I feel something is off here, so I'm reporting a bug. It could be an upstream problem though; it also could be an upstream SSSD problem, or all combined. I believe there is a more clear user experience: 1. GDM should display users that can login into the system, as it always does (if configured). It may also provide entering other login name (also if configured). This is GDM usually does without smartcards altogether. 2. When user is chosen (from the list or manually typed in), check can this user even authenticate with smartcards (i.e. if any of available smartcards is actually recognised for this user). If so, then ask for PIN. Else, don't show anything about smartcards at all (this includes when SSSD is not configured for any AD or related and this user has no local smartcard configuration). This can switch there & back based on device events. I've seen other OS doing this. Ubuntu/Gnome session doesn't ask me for PIN for a smartcard on a lock screen, so I guess it doesn't support it at all or correctly finds out it can't be used. Even more, I couldn't find a way to actually add my smartcard as a local login method. ProblemType: Bug DistroRelease: Ubuntu 21.04 Package: gdm3 3.38.2.1-2ubuntu1 ProcVersionSignature: Ubuntu 5.11.0-18.19-generic 5.11.17 Uname: Linux 5.11.0-18-generic x86_64 NonfreeKernelModules: nvidia_modeset nvidia ApportVersion: 2.20.11-0ubuntu65.1 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: ubuntu:GNOME Date: Sun Jun 20 14:02:02 2021 InstallationDate: Installed on 2017-03-05 (1567 days ago) InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1) ProcEnviron: TERM=tmux-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=ru_RU.UTF-8 SHELL=/bin/bash SourcePackage: gdm3 UpgradeStatus: Upgraded to hirsute on 2021-05-13 (37 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gdm3/+bug/1933027/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1933027] Re: Gdm3 with smartcard asks for login/smartcard pin even if there is no smartcard authentication enabled
-- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-shell in Ubuntu. https://bugs.launchpad.net/bugs/1933027 Title: Gdm3 with smartcard asks for login/smartcard pin even if there is no smartcard authentication enabled Status in gdm3 package in Ubuntu: Confirmed Status in gnome-shell package in Ubuntu: Fix Released Bug description: I use my Ubuntu PC with Yubikey almost always plugged in. It provides several security token interfaces, such as U2F, GPG smartcard, proprieritary Yubico interfaces (of which I mostly use TOTP codes), and also PIV smartcard. However, I haven't configured a PIV smartcard on it. Whenever I login into the system having Yubikey plugged in, I'm prompted for login name, and then for PIN for some smartcard while also being asked to plug in one. This is very misleading on several layers: 1. I have the device providing smartcard plugged id, 2. But it's not the smartcard GDM would think it is as it's not configured properly, 3. There are no local smartcard-authenticating users right now in the system, 3. There are no remote authentication systems configured on the system (so no ActiveDirectory-smartcard logins or such). If I unplug the token UX goes back on old good track. Given the circumstances above, I'd consider that GDM (and, on my bet, any PAM configuration it uses) shouldn't offer to login using smartcard if there is no way to actually do so. I feel something is off here, so I'm reporting a bug. It could be an upstream problem though; it also could be an upstream SSSD problem, or all combined. I believe there is a more clear user experience: 1. GDM should display users that can login into the system, as it always does (if configured). It may also provide entering other login name (also if configured). This is GDM usually does without smartcards altogether. 2. When user is chosen (from the list or manually typed in), check can this user even authenticate with smartcards (i.e. if any of available smartcards is actually recognised for this user). If so, then ask for PIN. Else, don't show anything about smartcards at all (this includes when SSSD is not configured for any AD or related and this user has no local smartcard configuration). This can switch there & back based on device events. I've seen other OS doing this. Ubuntu/Gnome session doesn't ask me for PIN for a smartcard on a lock screen, so I guess it doesn't support it at all or correctly finds out it can't be used. Even more, I couldn't find a way to actually add my smartcard as a local login method. ProblemType: Bug DistroRelease: Ubuntu 21.04 Package: gdm3 3.38.2.1-2ubuntu1 ProcVersionSignature: Ubuntu 5.11.0-18.19-generic 5.11.17 Uname: Linux 5.11.0-18-generic x86_64 NonfreeKernelModules: nvidia_modeset nvidia ApportVersion: 2.20.11-0ubuntu65.1 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: ubuntu:GNOME Date: Sun Jun 20 14:02:02 2021 InstallationDate: Installed on 2017-03-05 (1567 days ago) InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1) ProcEnviron: TERM=tmux-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=ru_RU.UTF-8 SHELL=/bin/bash SourcePackage: gdm3 UpgradeStatus: Upgraded to hirsute on 2021-05-13 (37 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gdm3/+bug/1933027/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1933027] Re: Gdm3 with smartcard asks for login/smartcard pin even if there is no smartcard authentication enabled
I've been using 22.04 (fresh install) since June and today after a routine update this "bug" popped up. This is in a system that has a yubikey 4 permanently plugged in. It's weird that the bug just popped out of nowhere. The last workaround from wastrel worked great for me. Now in addition to this bug, GDM's "face chooser" disappeared, no longer shows up, on boot I get prompted for a username. 22.04 was supposed to be a stable long-term release :/ -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-shell in Ubuntu. https://bugs.launchpad.net/bugs/1933027 Title: Gdm3 with smartcard asks for login/smartcard pin even if there is no smartcard authentication enabled Status in gdm3 package in Ubuntu: Confirmed Status in gnome-shell package in Ubuntu: Fix Released Bug description: I use my Ubuntu PC with Yubikey almost always plugged in. It provides several security token interfaces, such as U2F, GPG smartcard, proprieritary Yubico interfaces (of which I mostly use TOTP codes), and also PIV smartcard. However, I haven't configured a PIV smartcard on it. Whenever I login into the system having Yubikey plugged in, I'm prompted for login name, and then for PIN for some smartcard while also being asked to plug in one. This is very misleading on several layers: 1. I have the device providing smartcard plugged id, 2. But it's not the smartcard GDM would think it is as it's not configured properly, 3. There are no local smartcard-authenticating users right now in the system, 3. There are no remote authentication systems configured on the system (so no ActiveDirectory-smartcard logins or such). If I unplug the token UX goes back on old good track. Given the circumstances above, I'd consider that GDM (and, on my bet, any PAM configuration it uses) shouldn't offer to login using smartcard if there is no way to actually do so. I feel something is off here, so I'm reporting a bug. It could be an upstream problem though; it also could be an upstream SSSD problem, or all combined. I believe there is a more clear user experience: 1. GDM should display users that can login into the system, as it always does (if configured). It may also provide entering other login name (also if configured). This is GDM usually does without smartcards altogether. 2. When user is chosen (from the list or manually typed in), check can this user even authenticate with smartcards (i.e. if any of available smartcards is actually recognised for this user). If so, then ask for PIN. Else, don't show anything about smartcards at all (this includes when SSSD is not configured for any AD or related and this user has no local smartcard configuration). This can switch there & back based on device events. I've seen other OS doing this. Ubuntu/Gnome session doesn't ask me for PIN for a smartcard on a lock screen, so I guess it doesn't support it at all or correctly finds out it can't be used. Even more, I couldn't find a way to actually add my smartcard as a local login method. ProblemType: Bug DistroRelease: Ubuntu 21.04 Package: gdm3 3.38.2.1-2ubuntu1 ProcVersionSignature: Ubuntu 5.11.0-18.19-generic 5.11.17 Uname: Linux 5.11.0-18-generic x86_64 NonfreeKernelModules: nvidia_modeset nvidia ApportVersion: 2.20.11-0ubuntu65.1 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: ubuntu:GNOME Date: Sun Jun 20 14:02:02 2021 InstallationDate: Installed on 2017-03-05 (1567 days ago) InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1) ProcEnviron: TERM=tmux-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=ru_RU.UTF-8 SHELL=/bin/bash SourcePackage: gdm3 UpgradeStatus: Upgraded to hirsute on 2021-05-13 (37 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gdm3/+bug/1933027/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1933027] Re: Gdm3 with smartcard asks for login/smartcard pin even if there is no smartcard authentication enabled
I finally upgraded to 22.04 and the workaround in my previous message is now also no longer working for me, though it had been in 21.04. Had to remove the YubiKey to log in. My new workaround is to add an option to the gdm-smartcard alternatives configuration that's just password, no smartcard. I added the final 2 lines in the file here: $ cat /var/lib/dpkg/alternatives/gdm-smartcard manual /etc/pam.d/gdm-smartcard /etc/pam.d/gdm-smartcard-pkcs11-exclusive 30 /etc/pam.d/gdm-smartcard-sssd-exclusive 50 /etc/pam.d/gdm-smartcard-sssd-or-password 40 /etc/pam.d/gdm-password 60 $ Now I choose that option using the same command as my previous workaround: $ sudo update-alternatives --config gdm-smartcard There are 4 choices for the alternative gdm-smartcard (providing /etc/pam.d/gdm-smartcard). SelectionPath Priority Status 0/etc/pam.d/gdm-password 60auto mode 1/etc/pam.d/gdm-smartcard-pkcs11-exclusive 30manual mode 2/etc/pam.d/gdm-smartcard-sssd-exclusive 50manual mode 3/etc/pam.d/gdm-smartcard-sssd-or-password 40manual mode * 4/etc/pam.d/gdm-password 60manual mode Press to keep the current choice[*], or type selection number: 4 $ This is slightly more dangerous than the previous workaround as you may mess up your gdm login completely if you edit the file incorrectly but removing the YubiKey should default you back to just password so you'll be able to fix it. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-shell in Ubuntu. https://bugs.launchpad.net/bugs/1933027 Title: Gdm3 with smartcard asks for login/smartcard pin even if there is no smartcard authentication enabled Status in gdm3 package in Ubuntu: Confirmed Status in gnome-shell package in Ubuntu: Fix Released Bug description: I use my Ubuntu PC with Yubikey almost always plugged in. It provides several security token interfaces, such as U2F, GPG smartcard, proprieritary Yubico interfaces (of which I mostly use TOTP codes), and also PIV smartcard. However, I haven't configured a PIV smartcard on it. Whenever I login into the system having Yubikey plugged in, I'm prompted for login name, and then for PIN for some smartcard while also being asked to plug in one. This is very misleading on several layers: 1. I have the device providing smartcard plugged id, 2. But it's not the smartcard GDM would think it is as it's not configured properly, 3. There are no local smartcard-authenticating users right now in the system, 3. There are no remote authentication systems configured on the system (so no ActiveDirectory-smartcard logins or such). If I unplug the token UX goes back on old good track. Given the circumstances above, I'd consider that GDM (and, on my bet, any PAM configuration it uses) shouldn't offer to login using smartcard if there is no way to actually do so. I feel something is off here, so I'm reporting a bug. It could be an upstream problem though; it also could be an upstream SSSD problem, or all combined. I believe there is a more clear user experience: 1. GDM should display users that can login into the system, as it always does (if configured). It may also provide entering other login name (also if configured). This is GDM usually does without smartcards altogether. 2. When user is chosen (from the list or manually typed in), check can this user even authenticate with smartcards (i.e. if any of available smartcards is actually recognised for this user). If so, then ask for PIN. Else, don't show anything about smartcards at all (this includes when SSSD is not configured for any AD or related and this user has no local smartcard configuration). This can switch there & back based on device events. I've seen other OS doing this. Ubuntu/Gnome session doesn't ask me for PIN for a smartcard on a lock screen, so I guess it doesn't support it at all or correctly finds out it can't be used. Even more, I couldn't find a way to actually add my smartcard as a local login method. ProblemType: Bug DistroRelease: Ubuntu 21.04 Package: gdm3 3.38.2.1-2ubuntu1 ProcVersionSignature: Ubuntu 5.11.0-18.19-generic 5.11.17 Uname: Linux 5.11.0-18-generic x86_64 NonfreeKernelModules: nvidia_modeset nvidia ApportVersion: 2.20.11-0ubuntu65.1 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: ubuntu:GNOME Date: Sun Jun 20 14:02:02 2021 InstallationDate: Installed on 2017-03-05 (1567 days ago) InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1) ProcEnviron: TERM=tmux-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=ru_RU.UTF-8 SHELL=/bin/bash SourcePackage: gdm3
[Desktop-packages] [Bug 1933027] Re: Gdm3 with smartcard asks for login/smartcard pin even if there is no smartcard authentication enabled
Encountered same issue today, its super annoying as none of the workarounds work, looking for a fix asap. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-shell in Ubuntu. https://bugs.launchpad.net/bugs/1933027 Title: Gdm3 with smartcard asks for login/smartcard pin even if there is no smartcard authentication enabled Status in gdm3 package in Ubuntu: Confirmed Status in gnome-shell package in Ubuntu: Fix Released Bug description: I use my Ubuntu PC with Yubikey almost always plugged in. It provides several security token interfaces, such as U2F, GPG smartcard, proprieritary Yubico interfaces (of which I mostly use TOTP codes), and also PIV smartcard. However, I haven't configured a PIV smartcard on it. Whenever I login into the system having Yubikey plugged in, I'm prompted for login name, and then for PIN for some smartcard while also being asked to plug in one. This is very misleading on several layers: 1. I have the device providing smartcard plugged id, 2. But it's not the smartcard GDM would think it is as it's not configured properly, 3. There are no local smartcard-authenticating users right now in the system, 3. There are no remote authentication systems configured on the system (so no ActiveDirectory-smartcard logins or such). If I unplug the token UX goes back on old good track. Given the circumstances above, I'd consider that GDM (and, on my bet, any PAM configuration it uses) shouldn't offer to login using smartcard if there is no way to actually do so. I feel something is off here, so I'm reporting a bug. It could be an upstream problem though; it also could be an upstream SSSD problem, or all combined. I believe there is a more clear user experience: 1. GDM should display users that can login into the system, as it always does (if configured). It may also provide entering other login name (also if configured). This is GDM usually does without smartcards altogether. 2. When user is chosen (from the list or manually typed in), check can this user even authenticate with smartcards (i.e. if any of available smartcards is actually recognised for this user). If so, then ask for PIN. Else, don't show anything about smartcards at all (this includes when SSSD is not configured for any AD or related and this user has no local smartcard configuration). This can switch there & back based on device events. I've seen other OS doing this. Ubuntu/Gnome session doesn't ask me for PIN for a smartcard on a lock screen, so I guess it doesn't support it at all or correctly finds out it can't be used. Even more, I couldn't find a way to actually add my smartcard as a local login method. ProblemType: Bug DistroRelease: Ubuntu 21.04 Package: gdm3 3.38.2.1-2ubuntu1 ProcVersionSignature: Ubuntu 5.11.0-18.19-generic 5.11.17 Uname: Linux 5.11.0-18-generic x86_64 NonfreeKernelModules: nvidia_modeset nvidia ApportVersion: 2.20.11-0ubuntu65.1 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: ubuntu:GNOME Date: Sun Jun 20 14:02:02 2021 InstallationDate: Installed on 2017-03-05 (1567 days ago) InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1) ProcEnviron: TERM=tmux-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=ru_RU.UTF-8 SHELL=/bin/bash SourcePackage: gdm3 UpgradeStatus: Upgraded to hirsute on 2021-05-13 (37 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gdm3/+bug/1933027/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1933027] Re: Gdm3 with smartcard asks for login/smartcard pin even if there is no smartcard authentication enabled
Also hitting this issue after upgrade to Ubuntu 22.04. The proposed workaround doesn't work for me either. I always have a Yubikey 5 Nano plugged into my device. The workaround to be able to login is to remove the Yubikey, then I can use the username and password, very annoying procedure for each login. PS: By mistake I changed the status to "Fix Released" and not able to rollback. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-shell in Ubuntu. https://bugs.launchpad.net/bugs/1933027 Title: Gdm3 with smartcard asks for login/smartcard pin even if there is no smartcard authentication enabled Status in gdm3 package in Ubuntu: Confirmed Status in gnome-shell package in Ubuntu: Fix Released Bug description: I use my Ubuntu PC with Yubikey almost always plugged in. It provides several security token interfaces, such as U2F, GPG smartcard, proprieritary Yubico interfaces (of which I mostly use TOTP codes), and also PIV smartcard. However, I haven't configured a PIV smartcard on it. Whenever I login into the system having Yubikey plugged in, I'm prompted for login name, and then for PIN for some smartcard while also being asked to plug in one. This is very misleading on several layers: 1. I have the device providing smartcard plugged id, 2. But it's not the smartcard GDM would think it is as it's not configured properly, 3. There are no local smartcard-authenticating users right now in the system, 3. There are no remote authentication systems configured on the system (so no ActiveDirectory-smartcard logins or such). If I unplug the token UX goes back on old good track. Given the circumstances above, I'd consider that GDM (and, on my bet, any PAM configuration it uses) shouldn't offer to login using smartcard if there is no way to actually do so. I feel something is off here, so I'm reporting a bug. It could be an upstream problem though; it also could be an upstream SSSD problem, or all combined. I believe there is a more clear user experience: 1. GDM should display users that can login into the system, as it always does (if configured). It may also provide entering other login name (also if configured). This is GDM usually does without smartcards altogether. 2. When user is chosen (from the list or manually typed in), check can this user even authenticate with smartcards (i.e. if any of available smartcards is actually recognised for this user). If so, then ask for PIN. Else, don't show anything about smartcards at all (this includes when SSSD is not configured for any AD or related and this user has no local smartcard configuration). This can switch there & back based on device events. I've seen other OS doing this. Ubuntu/Gnome session doesn't ask me for PIN for a smartcard on a lock screen, so I guess it doesn't support it at all or correctly finds out it can't be used. Even more, I couldn't find a way to actually add my smartcard as a local login method. ProblemType: Bug DistroRelease: Ubuntu 21.04 Package: gdm3 3.38.2.1-2ubuntu1 ProcVersionSignature: Ubuntu 5.11.0-18.19-generic 5.11.17 Uname: Linux 5.11.0-18-generic x86_64 NonfreeKernelModules: nvidia_modeset nvidia ApportVersion: 2.20.11-0ubuntu65.1 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: ubuntu:GNOME Date: Sun Jun 20 14:02:02 2021 InstallationDate: Installed on 2017-03-05 (1567 days ago) InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1) ProcEnviron: TERM=tmux-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=ru_RU.UTF-8 SHELL=/bin/bash SourcePackage: gdm3 UpgradeStatus: Upgraded to hirsute on 2021-05-13 (37 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gdm3/+bug/1933027/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1933027] Re: Gdm3 with smartcard asks for login/smartcard pin even if there is no smartcard authentication enabled
** Changed in: gnome-shell (Ubuntu) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-shell in Ubuntu. https://bugs.launchpad.net/bugs/1933027 Title: Gdm3 with smartcard asks for login/smartcard pin even if there is no smartcard authentication enabled Status in gdm3 package in Ubuntu: Confirmed Status in gnome-shell package in Ubuntu: Fix Released Bug description: I use my Ubuntu PC with Yubikey almost always plugged in. It provides several security token interfaces, such as U2F, GPG smartcard, proprieritary Yubico interfaces (of which I mostly use TOTP codes), and also PIV smartcard. However, I haven't configured a PIV smartcard on it. Whenever I login into the system having Yubikey plugged in, I'm prompted for login name, and then for PIN for some smartcard while also being asked to plug in one. This is very misleading on several layers: 1. I have the device providing smartcard plugged id, 2. But it's not the smartcard GDM would think it is as it's not configured properly, 3. There are no local smartcard-authenticating users right now in the system, 3. There are no remote authentication systems configured on the system (so no ActiveDirectory-smartcard logins or such). If I unplug the token UX goes back on old good track. Given the circumstances above, I'd consider that GDM (and, on my bet, any PAM configuration it uses) shouldn't offer to login using smartcard if there is no way to actually do so. I feel something is off here, so I'm reporting a bug. It could be an upstream problem though; it also could be an upstream SSSD problem, or all combined. I believe there is a more clear user experience: 1. GDM should display users that can login into the system, as it always does (if configured). It may also provide entering other login name (also if configured). This is GDM usually does without smartcards altogether. 2. When user is chosen (from the list or manually typed in), check can this user even authenticate with smartcards (i.e. if any of available smartcards is actually recognised for this user). If so, then ask for PIN. Else, don't show anything about smartcards at all (this includes when SSSD is not configured for any AD or related and this user has no local smartcard configuration). This can switch there & back based on device events. I've seen other OS doing this. Ubuntu/Gnome session doesn't ask me for PIN for a smartcard on a lock screen, so I guess it doesn't support it at all or correctly finds out it can't be used. Even more, I couldn't find a way to actually add my smartcard as a local login method. ProblemType: Bug DistroRelease: Ubuntu 21.04 Package: gdm3 3.38.2.1-2ubuntu1 ProcVersionSignature: Ubuntu 5.11.0-18.19-generic 5.11.17 Uname: Linux 5.11.0-18-generic x86_64 NonfreeKernelModules: nvidia_modeset nvidia ApportVersion: 2.20.11-0ubuntu65.1 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: ubuntu:GNOME Date: Sun Jun 20 14:02:02 2021 InstallationDate: Installed on 2017-03-05 (1567 days ago) InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1) ProcEnviron: TERM=tmux-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=ru_RU.UTF-8 SHELL=/bin/bash SourcePackage: gdm3 UpgradeStatus: Upgraded to hirsute on 2021-05-13 (37 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gdm3/+bug/1933027/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1933027] Re: Gdm3 with smartcard asks for login/smartcard pin even if there is no smartcard authentication enabled
** Tags removed: hirsute -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-shell in Ubuntu. https://bugs.launchpad.net/bugs/1933027 Title: Gdm3 with smartcard asks for login/smartcard pin even if there is no smartcard authentication enabled Status in gdm3 package in Ubuntu: Confirmed Status in gnome-shell package in Ubuntu: Confirmed Bug description: I use my Ubuntu PC with Yubikey almost always plugged in. It provides several security token interfaces, such as U2F, GPG smartcard, proprieritary Yubico interfaces (of which I mostly use TOTP codes), and also PIV smartcard. However, I haven't configured a PIV smartcard on it. Whenever I login into the system having Yubikey plugged in, I'm prompted for login name, and then for PIN for some smartcard while also being asked to plug in one. This is very misleading on several layers: 1. I have the device providing smartcard plugged id, 2. But it's not the smartcard GDM would think it is as it's not configured properly, 3. There are no local smartcard-authenticating users right now in the system, 3. There are no remote authentication systems configured on the system (so no ActiveDirectory-smartcard logins or such). If I unplug the token UX goes back on old good track. Given the circumstances above, I'd consider that GDM (and, on my bet, any PAM configuration it uses) shouldn't offer to login using smartcard if there is no way to actually do so. I feel something is off here, so I'm reporting a bug. It could be an upstream problem though; it also could be an upstream SSSD problem, or all combined. I believe there is a more clear user experience: 1. GDM should display users that can login into the system, as it always does (if configured). It may also provide entering other login name (also if configured). This is GDM usually does without smartcards altogether. 2. When user is chosen (from the list or manually typed in), check can this user even authenticate with smartcards (i.e. if any of available smartcards is actually recognised for this user). If so, then ask for PIN. Else, don't show anything about smartcards at all (this includes when SSSD is not configured for any AD or related and this user has no local smartcard configuration). This can switch there & back based on device events. I've seen other OS doing this. Ubuntu/Gnome session doesn't ask me for PIN for a smartcard on a lock screen, so I guess it doesn't support it at all or correctly finds out it can't be used. Even more, I couldn't find a way to actually add my smartcard as a local login method. ProblemType: Bug DistroRelease: Ubuntu 21.04 Package: gdm3 3.38.2.1-2ubuntu1 ProcVersionSignature: Ubuntu 5.11.0-18.19-generic 5.11.17 Uname: Linux 5.11.0-18-generic x86_64 NonfreeKernelModules: nvidia_modeset nvidia ApportVersion: 2.20.11-0ubuntu65.1 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: ubuntu:GNOME Date: Sun Jun 20 14:02:02 2021 InstallationDate: Installed on 2017-03-05 (1567 days ago) InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1) ProcEnviron: TERM=tmux-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=ru_RU.UTF-8 SHELL=/bin/bash SourcePackage: gdm3 UpgradeStatus: Upgraded to hirsute on 2021-05-13 (37 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gdm3/+bug/1933027/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1933027] Re: Gdm3 with smartcard asks for login/smartcard pin even if there is no smartcard authentication enabled
** Tags added: jammy -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-shell in Ubuntu. https://bugs.launchpad.net/bugs/1933027 Title: Gdm3 with smartcard asks for login/smartcard pin even if there is no smartcard authentication enabled Status in gdm3 package in Ubuntu: Confirmed Status in gnome-shell package in Ubuntu: Confirmed Bug description: I use my Ubuntu PC with Yubikey almost always plugged in. It provides several security token interfaces, such as U2F, GPG smartcard, proprieritary Yubico interfaces (of which I mostly use TOTP codes), and also PIV smartcard. However, I haven't configured a PIV smartcard on it. Whenever I login into the system having Yubikey plugged in, I'm prompted for login name, and then for PIN for some smartcard while also being asked to plug in one. This is very misleading on several layers: 1. I have the device providing smartcard plugged id, 2. But it's not the smartcard GDM would think it is as it's not configured properly, 3. There are no local smartcard-authenticating users right now in the system, 3. There are no remote authentication systems configured on the system (so no ActiveDirectory-smartcard logins or such). If I unplug the token UX goes back on old good track. Given the circumstances above, I'd consider that GDM (and, on my bet, any PAM configuration it uses) shouldn't offer to login using smartcard if there is no way to actually do so. I feel something is off here, so I'm reporting a bug. It could be an upstream problem though; it also could be an upstream SSSD problem, or all combined. I believe there is a more clear user experience: 1. GDM should display users that can login into the system, as it always does (if configured). It may also provide entering other login name (also if configured). This is GDM usually does without smartcards altogether. 2. When user is chosen (from the list or manually typed in), check can this user even authenticate with smartcards (i.e. if any of available smartcards is actually recognised for this user). If so, then ask for PIN. Else, don't show anything about smartcards at all (this includes when SSSD is not configured for any AD or related and this user has no local smartcard configuration). This can switch there & back based on device events. I've seen other OS doing this. Ubuntu/Gnome session doesn't ask me for PIN for a smartcard on a lock screen, so I guess it doesn't support it at all or correctly finds out it can't be used. Even more, I couldn't find a way to actually add my smartcard as a local login method. ProblemType: Bug DistroRelease: Ubuntu 21.04 Package: gdm3 3.38.2.1-2ubuntu1 ProcVersionSignature: Ubuntu 5.11.0-18.19-generic 5.11.17 Uname: Linux 5.11.0-18-generic x86_64 NonfreeKernelModules: nvidia_modeset nvidia ApportVersion: 2.20.11-0ubuntu65.1 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: ubuntu:GNOME Date: Sun Jun 20 14:02:02 2021 InstallationDate: Installed on 2017-03-05 (1567 days ago) InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1) ProcEnviron: TERM=tmux-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=ru_RU.UTF-8 SHELL=/bin/bash SourcePackage: gdm3 UpgradeStatus: Upgraded to hirsute on 2021-05-13 (37 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gdm3/+bug/1933027/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1933027] Re: Gdm3 with smartcard asks for login/smartcard pin even if there is no smartcard authentication enabled
I'm hit by this issue and for me the suggested workaround doesn't work. My previous setup: - had the fingerprint auth enabled - have the Yubikey attached and **required** for auth (initial login as well as sudo) Previous behavior since this issue appearance: I wouldn't be able to log in with the key attached, but when not attached I would be able to log in with just a swipe of the finger (so, yubikey auth would be bypassed) Yesterday I have disabled fingerprints. Now I'm completely unable to login from the graphic login screen: - if the key is attached, the screen enforces the smartcard auth (I've tried changing the alternative, as suggested above). This doesn't work - if the key is not attached, I'm able to enter my password. Then the spinner is shown for some time (because the system tries to detect the key) and the error is displayed. If I plugged in the key at this stage (something that helped me before, albeit being inconvenient), the screen would jump again to the smartcrd auth The only way I can use my machine now is to go to the terminal session, login there (it works fine), then startx from there. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-shell in Ubuntu. https://bugs.launchpad.net/bugs/1933027 Title: Gdm3 with smartcard asks for login/smartcard pin even if there is no smartcard authentication enabled Status in gdm3 package in Ubuntu: Confirmed Status in gnome-shell package in Ubuntu: Confirmed Bug description: I use my Ubuntu PC with Yubikey almost always plugged in. It provides several security token interfaces, such as U2F, GPG smartcard, proprieritary Yubico interfaces (of which I mostly use TOTP codes), and also PIV smartcard. However, I haven't configured a PIV smartcard on it. Whenever I login into the system having Yubikey plugged in, I'm prompted for login name, and then for PIN for some smartcard while also being asked to plug in one. This is very misleading on several layers: 1. I have the device providing smartcard plugged id, 2. But it's not the smartcard GDM would think it is as it's not configured properly, 3. There are no local smartcard-authenticating users right now in the system, 3. There are no remote authentication systems configured on the system (so no ActiveDirectory-smartcard logins or such). If I unplug the token UX goes back on old good track. Given the circumstances above, I'd consider that GDM (and, on my bet, any PAM configuration it uses) shouldn't offer to login using smartcard if there is no way to actually do so. I feel something is off here, so I'm reporting a bug. It could be an upstream problem though; it also could be an upstream SSSD problem, or all combined. I believe there is a more clear user experience: 1. GDM should display users that can login into the system, as it always does (if configured). It may also provide entering other login name (also if configured). This is GDM usually does without smartcards altogether. 2. When user is chosen (from the list or manually typed in), check can this user even authenticate with smartcards (i.e. if any of available smartcards is actually recognised for this user). If so, then ask for PIN. Else, don't show anything about smartcards at all (this includes when SSSD is not configured for any AD or related and this user has no local smartcard configuration). This can switch there & back based on device events. I've seen other OS doing this. Ubuntu/Gnome session doesn't ask me for PIN for a smartcard on a lock screen, so I guess it doesn't support it at all or correctly finds out it can't be used. Even more, I couldn't find a way to actually add my smartcard as a local login method. ProblemType: Bug DistroRelease: Ubuntu 21.04 Package: gdm3 3.38.2.1-2ubuntu1 ProcVersionSignature: Ubuntu 5.11.0-18.19-generic 5.11.17 Uname: Linux 5.11.0-18-generic x86_64 NonfreeKernelModules: nvidia_modeset nvidia ApportVersion: 2.20.11-0ubuntu65.1 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: ubuntu:GNOME Date: Sun Jun 20 14:02:02 2021 InstallationDate: Installed on 2017-03-05 (1567 days ago) InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1) ProcEnviron: TERM=tmux-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=ru_RU.UTF-8 SHELL=/bin/bash SourcePackage: gdm3 UpgradeStatus: Upgraded to hirsute on 2021-05-13 (37 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gdm3/+bug/1933027/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1933027] Re: Gdm3 with smartcard asks for login/smartcard pin even if there is no smartcard authentication enabled
wastrel, you're my saviour! I wouldn't discover that there is an option in ages! I think this should be the default, actually, because as I've stated if sssd is not configured in the system we should use passwords, and if system administrator configures proper smartcard authentication only then should there be an option to forbid passwords. Actually, it looks even more strange that current option is sssd- exclusive when you can just unplug the key and get a password prompt anyway. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-shell in Ubuntu. https://bugs.launchpad.net/bugs/1933027 Title: Gdm3 with smartcard asks for login/smartcard pin even if there is no smartcard authentication enabled Status in gdm3 package in Ubuntu: Confirmed Status in gnome-shell package in Ubuntu: Confirmed Bug description: I use my Ubuntu PC with Yubikey almost always plugged in. It provides several security token interfaces, such as U2F, GPG smartcard, proprieritary Yubico interfaces (of which I mostly use TOTP codes), and also PIV smartcard. However, I haven't configured a PIV smartcard on it. Whenever I login into the system having Yubikey plugged in, I'm prompted for login name, and then for PIN for some smartcard while also being asked to plug in one. This is very misleading on several layers: 1. I have the device providing smartcard plugged id, 2. But it's not the smartcard GDM would think it is as it's not configured properly, 3. There are no local smartcard-authenticating users right now in the system, 3. There are no remote authentication systems configured on the system (so no ActiveDirectory-smartcard logins or such). If I unplug the token UX goes back on old good track. Given the circumstances above, I'd consider that GDM (and, on my bet, any PAM configuration it uses) shouldn't offer to login using smartcard if there is no way to actually do so. I feel something is off here, so I'm reporting a bug. It could be an upstream problem though; it also could be an upstream SSSD problem, or all combined. I believe there is a more clear user experience: 1. GDM should display users that can login into the system, as it always does (if configured). It may also provide entering other login name (also if configured). This is GDM usually does without smartcards altogether. 2. When user is chosen (from the list or manually typed in), check can this user even authenticate with smartcards (i.e. if any of available smartcards is actually recognised for this user). If so, then ask for PIN. Else, don't show anything about smartcards at all (this includes when SSSD is not configured for any AD or related and this user has no local smartcard configuration). This can switch there & back based on device events. I've seen other OS doing this. Ubuntu/Gnome session doesn't ask me for PIN for a smartcard on a lock screen, so I guess it doesn't support it at all or correctly finds out it can't be used. Even more, I couldn't find a way to actually add my smartcard as a local login method. ProblemType: Bug DistroRelease: Ubuntu 21.04 Package: gdm3 3.38.2.1-2ubuntu1 ProcVersionSignature: Ubuntu 5.11.0-18.19-generic 5.11.17 Uname: Linux 5.11.0-18-generic x86_64 NonfreeKernelModules: nvidia_modeset nvidia ApportVersion: 2.20.11-0ubuntu65.1 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: ubuntu:GNOME Date: Sun Jun 20 14:02:02 2021 InstallationDate: Installed on 2017-03-05 (1567 days ago) InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1) ProcEnviron: TERM=tmux-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=ru_RU.UTF-8 SHELL=/bin/bash SourcePackage: gdm3 UpgradeStatus: Upgraded to hirsute on 2021-05-13 (37 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gdm3/+bug/1933027/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1933027] Re: Gdm3 with smartcard asks for login/smartcard pin even if there is no smartcard authentication enabled
Yep this got me today. Unable to login due to YubiKey plugged in to the system. GDM sees the key and wants me to use it to authenticate, it's not set up for that and I had to pull the YubiKey to be able to log in with username & password. Poking around in /etc/pam.d/ I found there's a few options ror smartcard configuration, and as a workaround just enabled one that allows both password and smartcard auth: $ sudo update-alternatives --config gdm-smartcard There are 3 choices for the alternative gdm-smartcard (providing /etc/pam.d/gdm-smartcard). SelectionPath Priority Status 0/etc/pam.d/gdm-smartcard-sssd-exclusive 50auto mode 1/etc/pam.d/gdm-smartcard-pkcs11-exclusive 30manual mode 2/etc/pam.d/gdm-smartcard-sssd-exclusive 50manual mode * 3/etc/pam.d/gdm-smartcard-sssd-or-password 40manual mode Press to keep the current choice[*], or type selection number: -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-shell in Ubuntu. https://bugs.launchpad.net/bugs/1933027 Title: Gdm3 with smartcard asks for login/smartcard pin even if there is no smartcard authentication enabled Status in gdm3 package in Ubuntu: Confirmed Status in gnome-shell package in Ubuntu: Confirmed Bug description: I use my Ubuntu PC with Yubikey almost always plugged in. It provides several security token interfaces, such as U2F, GPG smartcard, proprieritary Yubico interfaces (of which I mostly use TOTP codes), and also PIV smartcard. However, I haven't configured a PIV smartcard on it. Whenever I login into the system having Yubikey plugged in, I'm prompted for login name, and then for PIN for some smartcard while also being asked to plug in one. This is very misleading on several layers: 1. I have the device providing smartcard plugged id, 2. But it's not the smartcard GDM would think it is as it's not configured properly, 3. There are no local smartcard-authenticating users right now in the system, 3. There are no remote authentication systems configured on the system (so no ActiveDirectory-smartcard logins or such). If I unplug the token UX goes back on old good track. Given the circumstances above, I'd consider that GDM (and, on my bet, any PAM configuration it uses) shouldn't offer to login using smartcard if there is no way to actually do so. I feel something is off here, so I'm reporting a bug. It could be an upstream problem though; it also could be an upstream SSSD problem, or all combined. I believe there is a more clear user experience: 1. GDM should display users that can login into the system, as it always does (if configured). It may also provide entering other login name (also if configured). This is GDM usually does without smartcards altogether. 2. When user is chosen (from the list or manually typed in), check can this user even authenticate with smartcards (i.e. if any of available smartcards is actually recognised for this user). If so, then ask for PIN. Else, don't show anything about smartcards at all (this includes when SSSD is not configured for any AD or related and this user has no local smartcard configuration). This can switch there & back based on device events. I've seen other OS doing this. Ubuntu/Gnome session doesn't ask me for PIN for a smartcard on a lock screen, so I guess it doesn't support it at all or correctly finds out it can't be used. Even more, I couldn't find a way to actually add my smartcard as a local login method. ProblemType: Bug DistroRelease: Ubuntu 21.04 Package: gdm3 3.38.2.1-2ubuntu1 ProcVersionSignature: Ubuntu 5.11.0-18.19-generic 5.11.17 Uname: Linux 5.11.0-18-generic x86_64 NonfreeKernelModules: nvidia_modeset nvidia ApportVersion: 2.20.11-0ubuntu65.1 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: ubuntu:GNOME Date: Sun Jun 20 14:02:02 2021 InstallationDate: Installed on 2017-03-05 (1567 days ago) InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1) ProcEnviron: TERM=tmux-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=ru_RU.UTF-8 SHELL=/bin/bash SourcePackage: gdm3 UpgradeStatus: Upgraded to hirsute on 2021-05-13 (37 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gdm3/+bug/1933027/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1933027] Re: Gdm3 with smartcard asks for login/smartcard pin even if there is no smartcard authentication enabled
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: gnome-shell (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-shell in Ubuntu. https://bugs.launchpad.net/bugs/1933027 Title: Gdm3 with smartcard asks for login/smartcard pin even if there is no smartcard authentication enabled Status in gdm3 package in Ubuntu: Confirmed Status in gnome-shell package in Ubuntu: Confirmed Bug description: I use my Ubuntu PC with Yubikey almost always plugged in. It provides several security token interfaces, such as U2F, GPG smartcard, proprieritary Yubico interfaces (of which I mostly use TOTP codes), and also PIV smartcard. However, I haven't configured a PIV smartcard on it. Whenever I login into the system having Yubikey plugged in, I'm prompted for login name, and then for PIN for some smartcard while also being asked to plug in one. This is very misleading on several layers: 1. I have the device providing smartcard plugged id, 2. But it's not the smartcard GDM would think it is as it's not configured properly, 3. There are no local smartcard-authenticating users right now in the system, 3. There are no remote authentication systems configured on the system (so no ActiveDirectory-smartcard logins or such). If I unplug the token UX goes back on old good track. Given the circumstances above, I'd consider that GDM (and, on my bet, any PAM configuration it uses) shouldn't offer to login using smartcard if there is no way to actually do so. I feel something is off here, so I'm reporting a bug. It could be an upstream problem though; it also could be an upstream SSSD problem, or all combined. I believe there is a more clear user experience: 1. GDM should display users that can login into the system, as it always does (if configured). It may also provide entering other login name (also if configured). This is GDM usually does without smartcards altogether. 2. When user is chosen (from the list or manually typed in), check can this user even authenticate with smartcards (i.e. if any of available smartcards is actually recognised for this user). If so, then ask for PIN. Else, don't show anything about smartcards at all (this includes when SSSD is not configured for any AD or related and this user has no local smartcard configuration). This can switch there & back based on device events. I've seen other OS doing this. Ubuntu/Gnome session doesn't ask me for PIN for a smartcard on a lock screen, so I guess it doesn't support it at all or correctly finds out it can't be used. Even more, I couldn't find a way to actually add my smartcard as a local login method. ProblemType: Bug DistroRelease: Ubuntu 21.04 Package: gdm3 3.38.2.1-2ubuntu1 ProcVersionSignature: Ubuntu 5.11.0-18.19-generic 5.11.17 Uname: Linux 5.11.0-18-generic x86_64 NonfreeKernelModules: nvidia_modeset nvidia ApportVersion: 2.20.11-0ubuntu65.1 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: ubuntu:GNOME Date: Sun Jun 20 14:02:02 2021 InstallationDate: Installed on 2017-03-05 (1567 days ago) InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1) ProcEnviron: TERM=tmux-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=ru_RU.UTF-8 SHELL=/bin/bash SourcePackage: gdm3 UpgradeStatus: Upgraded to hirsute on 2021-05-13 (37 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gdm3/+bug/1933027/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1933027] Re: Gdm3 with smartcard asks for login/smartcard pin even if there is no smartcard authentication enabled
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: gdm3 (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-shell in Ubuntu. https://bugs.launchpad.net/bugs/1933027 Title: Gdm3 with smartcard asks for login/smartcard pin even if there is no smartcard authentication enabled Status in gdm3 package in Ubuntu: Confirmed Status in gnome-shell package in Ubuntu: Confirmed Bug description: I use my Ubuntu PC with Yubikey almost always plugged in. It provides several security token interfaces, such as U2F, GPG smartcard, proprieritary Yubico interfaces (of which I mostly use TOTP codes), and also PIV smartcard. However, I haven't configured a PIV smartcard on it. Whenever I login into the system having Yubikey plugged in, I'm prompted for login name, and then for PIN for some smartcard while also being asked to plug in one. This is very misleading on several layers: 1. I have the device providing smartcard plugged id, 2. But it's not the smartcard GDM would think it is as it's not configured properly, 3. There are no local smartcard-authenticating users right now in the system, 3. There are no remote authentication systems configured on the system (so no ActiveDirectory-smartcard logins or such). If I unplug the token UX goes back on old good track. Given the circumstances above, I'd consider that GDM (and, on my bet, any PAM configuration it uses) shouldn't offer to login using smartcard if there is no way to actually do so. I feel something is off here, so I'm reporting a bug. It could be an upstream problem though; it also could be an upstream SSSD problem, or all combined. I believe there is a more clear user experience: 1. GDM should display users that can login into the system, as it always does (if configured). It may also provide entering other login name (also if configured). This is GDM usually does without smartcards altogether. 2. When user is chosen (from the list or manually typed in), check can this user even authenticate with smartcards (i.e. if any of available smartcards is actually recognised for this user). If so, then ask for PIN. Else, don't show anything about smartcards at all (this includes when SSSD is not configured for any AD or related and this user has no local smartcard configuration). This can switch there & back based on device events. I've seen other OS doing this. Ubuntu/Gnome session doesn't ask me for PIN for a smartcard on a lock screen, so I guess it doesn't support it at all or correctly finds out it can't be used. Even more, I couldn't find a way to actually add my smartcard as a local login method. ProblemType: Bug DistroRelease: Ubuntu 21.04 Package: gdm3 3.38.2.1-2ubuntu1 ProcVersionSignature: Ubuntu 5.11.0-18.19-generic 5.11.17 Uname: Linux 5.11.0-18-generic x86_64 NonfreeKernelModules: nvidia_modeset nvidia ApportVersion: 2.20.11-0ubuntu65.1 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: ubuntu:GNOME Date: Sun Jun 20 14:02:02 2021 InstallationDate: Installed on 2017-03-05 (1567 days ago) InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1) ProcEnviron: TERM=tmux-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=ru_RU.UTF-8 SHELL=/bin/bash SourcePackage: gdm3 UpgradeStatus: Upgraded to hirsute on 2021-05-13 (37 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gdm3/+bug/1933027/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1933027] Re: Gdm3 with smartcard asks for login/smartcard pin even if there is no smartcard authentication enabled
So... GDM actually just launches special session instance that is actually a login screen? Now it's even more weird that gnome-shell doesn't ask for PIN on lock screen. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-shell in Ubuntu. https://bugs.launchpad.net/bugs/1933027 Title: Gdm3 with smartcard asks for login/smartcard pin even if there is no smartcard authentication enabled Status in gdm3 package in Ubuntu: New Status in gnome-shell package in Ubuntu: New Bug description: I use my Ubuntu PC with Yubikey almost always plugged in. It provides several security token interfaces, such as U2F, GPG smartcard, proprieritary Yubico interfaces (of which I mostly use TOTP codes), and also PIV smartcard. However, I haven't configured a PIV smartcard on it. Whenever I login into the system having Yubikey plugged in, I'm prompted for login name, and then for PIN for some smartcard while also being asked to plug in one. This is very misleading on several layers: 1. I have the device providing smartcard plugged id, 2. But it's not the smartcard GDM would think it is as it's not configured properly, 3. There are no local smartcard-authenticating users right now in the system, 3. There are no remote authentication systems configured on the system (so no ActiveDirectory-smartcard logins or such). If I unplug the token UX goes back on old good track. Given the circumstances above, I'd consider that GDM (and, on my bet, any PAM configuration it uses) shouldn't offer to login using smartcard if there is no way to actually do so. I feel something is off here, so I'm reporting a bug. It could be an upstream problem though; it also could be an upstream SSSD problem, or all combined. I believe there is a more clear user experience: 1. GDM should display users that can login into the system, as it always does (if configured). It may also provide entering other login name (also if configured). This is GDM usually does without smartcards altogether. 2. When user is chosen (from the list or manually typed in), check can this user even authenticate with smartcards (i.e. if any of available smartcards is actually recognised for this user). If so, then ask for PIN. Else, don't show anything about smartcards at all (this includes when SSSD is not configured for any AD or related and this user has no local smartcard configuration). This can switch there & back based on device events. I've seen other OS doing this. Ubuntu/Gnome session doesn't ask me for PIN for a smartcard on a lock screen, so I guess it doesn't support it at all or correctly finds out it can't be used. Even more, I couldn't find a way to actually add my smartcard as a local login method. ProblemType: Bug DistroRelease: Ubuntu 21.04 Package: gdm3 3.38.2.1-2ubuntu1 ProcVersionSignature: Ubuntu 5.11.0-18.19-generic 5.11.17 Uname: Linux 5.11.0-18-generic x86_64 NonfreeKernelModules: nvidia_modeset nvidia ApportVersion: 2.20.11-0ubuntu65.1 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: ubuntu:GNOME Date: Sun Jun 20 14:02:02 2021 InstallationDate: Installed on 2017-03-05 (1567 days ago) InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1) ProcEnviron: TERM=tmux-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=ru_RU.UTF-8 SHELL=/bin/bash SourcePackage: gdm3 UpgradeStatus: Upgraded to hirsute on 2021-05-13 (37 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gdm3/+bug/1933027/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1933027] Re: Gdm3 with smartcard asks for login/smartcard pin even if there is no smartcard authentication enabled
Assigning to gnome-shell (which implements the login GUI). ** Also affects: gnome-shell (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-shell in Ubuntu. https://bugs.launchpad.net/bugs/1933027 Title: Gdm3 with smartcard asks for login/smartcard pin even if there is no smartcard authentication enabled Status in gdm3 package in Ubuntu: New Status in gnome-shell package in Ubuntu: New Bug description: I use my Ubuntu PC with Yubikey almost always plugged in. It provides several security token interfaces, such as U2F, GPG smartcard, proprieritary Yubico interfaces (of which I mostly use TOTP codes), and also PIV smartcard. However, I haven't configured a PIV smartcard on it. Whenever I login into the system having Yubikey plugged in, I'm prompted for login name, and then for PIN for some smartcard while also being asked to plug in one. This is very misleading on several layers: 1. I have the device providing smartcard plugged id, 2. But it's not the smartcard GDM would think it is as it's not configured properly, 3. There are no local smartcard-authenticating users right now in the system, 3. There are no remote authentication systems configured on the system (so no ActiveDirectory-smartcard logins or such). If I unplug the token UX goes back on old good track. Given the circumstances above, I'd consider that GDM (and, on my bet, any PAM configuration it uses) shouldn't offer to login using smartcard if there is no way to actually do so. I feel something is off here, so I'm reporting a bug. It could be an upstream problem though; it also could be an upstream SSSD problem, or all combined. I believe there is a more clear user experience: 1. GDM should display users that can login into the system, as it always does (if configured). It may also provide entering other login name (also if configured). This is GDM usually does without smartcards altogether. 2. When user is chosen (from the list or manually typed in), check can this user even authenticate with smartcards (i.e. if any of available smartcards is actually recognised for this user). If so, then ask for PIN. Else, don't show anything about smartcards at all (this includes when SSSD is not configured for any AD or related and this user has no local smartcard configuration). This can switch there & back based on device events. I've seen other OS doing this. Ubuntu/Gnome session doesn't ask me for PIN for a smartcard on a lock screen, so I guess it doesn't support it at all or correctly finds out it can't be used. Even more, I couldn't find a way to actually add my smartcard as a local login method. ProblemType: Bug DistroRelease: Ubuntu 21.04 Package: gdm3 3.38.2.1-2ubuntu1 ProcVersionSignature: Ubuntu 5.11.0-18.19-generic 5.11.17 Uname: Linux 5.11.0-18-generic x86_64 NonfreeKernelModules: nvidia_modeset nvidia ApportVersion: 2.20.11-0ubuntu65.1 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: ubuntu:GNOME Date: Sun Jun 20 14:02:02 2021 InstallationDate: Installed on 2017-03-05 (1567 days ago) InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1) ProcEnviron: TERM=tmux-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=ru_RU.UTF-8 SHELL=/bin/bash SourcePackage: gdm3 UpgradeStatus: Upgraded to hirsute on 2021-05-13 (37 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gdm3/+bug/1933027/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp