Public bug reported:
I own YubiKey 5 Nano.
In Ubuntu 23.10 I had configured a login to Gnome using YubiKey so that
when I started OS with YubiKey inserted, clicked on my username in login
screen, I was offered to touch YubiKey and when I did it, then a login
succeeded ✓.
But when I upgraded to Ubuntu 24.04 beta, in login screen I'm prompted
by entering of password only and no "touch" method is offered anymore 🐛.
Note that YubiKey auth works well e.g. for "sudo":
---
$ sudo apt update
Please touch the device.
...
This is my GDM policy configuration
/etc/pam.d/gdm-password
-----------------------
#%PAM-1.0
auth requisite pam_nologin.so
auth required pam_succeed_if.so user != root quiet_success
@include common-u2f
@include common-auth
auth optional pam_gnome_keyring.so
@include common-account
# SELinux needs to be the first session rule. This ensures that any
# lingering context has been cleared. Without this it is possible
# that a module could execute code in the wrong domain.
session [success=ok ignore=ignore module_unknown=ignore default=bad]
pam_selinux.so close
session required pam_loginuid.so
# SELinux needs to intervene at login time to ensure that the process
# starts in the proper default security context. Only sessions which are
# intended to run in the user's context should be run after this.
# pam_selinux.so changes the SELinux context of the used TTY and configures
# SELinux in order to transition to the user context with the next execve()
# call.
session [success=ok ignore=ignore module_unknown=ignore default=bad]
pam_selinux.so open
session optional pam_keyinit.so force revoke
session required pam_limits.so
session required pam_env.so readenv=1
session required pam_env.so readenv=1 user_readenv=1
envfile=/etc/default/locale
@include common-session
session optional pam_gnome_keyring.so auto_start
@include common-password
/etc/pam.d/common-u2f
---------------------
auth sufficient pam_u2f.so authfile=/etc/u2f_mappings cue
Used SW and HW:
---------------
* HW: laptop Yoga Slim 7 14ARE05
* SW:
* Ubuntu 24.04
* kernel 6.8.0-22-generic
* gdm3 46.0-2ubuntu1, I'm using default Wayland session
* libpam-yubico 2.26-1.1build2
** Affects: gdm3 (Ubuntu)
Importance: Undecided
Status: New
** Description changed:
I own YubiKey 5 Nano.
In Ubuntu 23.10 I had configured a login to Gnome using YubiKey so that
when I started OS with YubiKey inserted, clicked on my username in login
screen, I was offered to touch YubiKey and when I did it, then a login
succeeded ✓.
But when I upgraded to Ubuntu 24.04 beta, in login screen I'm prompted
by entering of password only and no "touch" method is offered anymore 🐛.
Note that YubiKey auth works well e.g. for "sudo":
---
$ sudo apt update
Please touch the device.
- ...
-
+ ...
This is my GDM policy configuration
/etc/pam.d/gdm-password
-----------------------
#%PAM-1.0
auth requisite pam_nologin.so
auth required pam_succeed_if.so user != root quiet_success
@include common-u2f
@include common-auth
auth optional pam_gnome_keyring.so
@include common-account
- # SELinux needs to be the first session rule. This ensures that any
- # lingering context has been cleared. Without this it is possible
+ # SELinux needs to be the first session rule. This ensures that any
+ # lingering context has been cleared. Without this it is possible
# that a module could execute code in the wrong domain.
session [success=ok ignore=ignore module_unknown=ignore default=bad]
pam_selinux.so close
session required pam_loginuid.so
# SELinux needs to intervene at login time to ensure that the process
# starts in the proper default security context. Only sessions which are
# intended to run in the user's context should be run after this.
# pam_selinux.so changes the SELinux context of the used TTY and configures
# SELinux in order to transition to the user context with the next execve()
# call.
session [success=ok ignore=ignore module_unknown=ignore default=bad]
pam_selinux.so open
session optional pam_keyinit.so force revoke
session required pam_limits.so
session required pam_env.so readenv=1
session required pam_env.so readenv=1 user_readenv=1
envfile=/etc/default/locale
@include common-session
session optional pam_gnome_keyring.so auto_start
@include common-password
-
/etc/pam.d/common-u2f
---------------------
auth sufficient pam_u2f.so authfile=/etc/u2f_mappings cue
- Used SW:
- --------
- * Ubuntu 24.04
- * kernel 6.8.0-22-generic
- * gdm3 46.0-2ubuntu1, I'm using default Wayland session
- * libpam-yubico 2.26-1.1build2
+ Used SW and HW:
+ ---------------
+ * HW: laptop Yoga Slim 7 14ARE05
+ * SW:
+ * Ubuntu 24.04
+ * kernel 6.8.0-22-generic
+ * gdm3 46.0-2ubuntu1, I'm using default Wayland session
+ * libpam-yubico 2.26-1.1build2
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to gdm3 in Ubuntu.
https://bugs.launchpad.net/bugs/2061235
Title:
Login screen doesn't offer authentication using Yubikey after upgrade
23.10 => 24.04
Status in gdm3 package in Ubuntu:
New
Bug description:
I own YubiKey 5 Nano.
In Ubuntu 23.10 I had configured a login to Gnome using YubiKey so
that when I started OS with YubiKey inserted, clicked on my username
in login screen, I was offered to touch YubiKey and when I did it,
then a login succeeded ✓.
But when I upgraded to Ubuntu 24.04 beta, in login screen I'm prompted
by entering of password only and no "touch" method is offered anymore
🐛.
Note that YubiKey auth works well e.g. for "sudo":
---
$ sudo apt update
Please touch the device.
...
This is my GDM policy configuration
/etc/pam.d/gdm-password
-----------------------
#%PAM-1.0
auth requisite pam_nologin.so
auth required pam_succeed_if.so user != root quiet_success
@include common-u2f
@include common-auth
auth optional pam_gnome_keyring.so
@include common-account
# SELinux needs to be the first session rule. This ensures that any
# lingering context has been cleared. Without this it is possible
# that a module could execute code in the wrong domain.
session [success=ok ignore=ignore module_unknown=ignore default=bad]
pam_selinux.so close
session required pam_loginuid.so
# SELinux needs to intervene at login time to ensure that the process
# starts in the proper default security context. Only sessions which are
# intended to run in the user's context should be run after this.
# pam_selinux.so changes the SELinux context of the used TTY and configures
# SELinux in order to transition to the user context with the next execve()
# call.
session [success=ok ignore=ignore module_unknown=ignore default=bad]
pam_selinux.so open
session optional pam_keyinit.so force revoke
session required pam_limits.so
session required pam_env.so readenv=1
session required pam_env.so readenv=1 user_readenv=1
envfile=/etc/default/locale
@include common-session
session optional pam_gnome_keyring.so auto_start
@include common-password
/etc/pam.d/common-u2f
---------------------
auth sufficient pam_u2f.so authfile=/etc/u2f_mappings cue
Used SW and HW:
---------------
* HW: laptop Yoga Slim 7 14ARE05
* SW:
* Ubuntu 24.04
* kernel 6.8.0-22-generic
* gdm3 46.0-2ubuntu1, I'm using default Wayland session
* libpam-yubico 2.26-1.1build2
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gdm3/+bug/2061235/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
