Subject: gdm3 won't allow logins when a smarcard with a x.509 credential is plugged in Package: gdm3 Version: 45~beta-1 Severity: important thanks
Hey GNOME maintainers, I upgraded my sid system, and post-upgrade gdm3 isn't showing my face when I reboot, and entering my username causes it to loop back to username entry again (no password prompt). After some help from smcv, I narrowed down the issue to the interactions between my smartcard development tools installed locally and gdm3. The journal shows the following output: | Sep 12 10:18:47 nyx gdm-launch-environment][1851]: pam_unix(gdm-launch-environment:session): session opened for user Debian-gdm(uid=116) by (uid=0) | Sep 12 10:18:49 nyx gdm-smartcard][2749]: PAM unable to dlopen(pam_sss.so): /lib/security/pam_sss.so: cannot open shared object file: No such file or directory | Sep 12 10:18:49 nyx gdm-smartcard][2749]: PAM adding faulty module: pam_sss.so | Sep 12 10:19:02 nyx gdm-smartcard][2749]: gkr-pam: no password is available for user | Sep 12 10:19:02 nyx gdm-smartcard][3505]: PAM unable to dlopen(pam_sss.so): /lib/security/pam_sss.so: cannot open shared object file: No such file or directory | Sep 12 10:19:02 nyx gdm-smartcard][3505]: PAM adding faulty module: pam_sss.so | Sep 12 10:19:03 nyx gdm-smartcard][3505]: gkr-pam: no password is available for user | Sep 12 10:19:03 nyx gdm-smartcard][3512]: PAM unable to dlopen(pam_sss.so): /lib/security/pam_sss.so: cannot open shared object file: No such file or directory | Sep 12 10:19:03 nyx gdm-smartcard][3512]: PAM adding faulty module: pam_sss.so | Sep 12 10:19:33 nyx gdm-smartcard][4045]: PAM unable to dlopen(pam_sss.so): /lib/security/pam_sss.so: cannot open shared object file: No such file or directory | Sep 12 10:19:33 nyx gdm-smartcard][4045]: PAM adding faulty module: pam_sss.so | Sep 12 10:19:34 nyx gdm-smartcard][4045]: gkr-pam: no password is available for user | Sep 12 10:19:34 nyx gdm-smartcard][4237]: PAM unable to dlopen(pam_sss.so): /lib/security/pam_sss.so: cannot open shared object file: No such file or directory | Sep 12 10:19:34 nyx gdm-smartcard][4237]: PAM adding faulty module: pam_sss.so (I do not have libpam-sss installed - after I got this error I installed it to see if I could unlock myself, but it didn't do much and I purged it again). I have not configured my machine to use gdm-smartcard (nor do I want to); but I do have a lot of smartcard stuff installed due to other hobby work. I have NSS set up to talk with OpenSC, but that's only for TLS keying material via GNOME, not system login. When I unplugged my Yubikey which is both WebAuthN and a x.509 Smartcard, I was able to log in as usual. My hunch is that I believe gdm-smartcard thinks it's supposed to kick into gear and authenticate my smartcard, but it isn't configured to do so (heck, it hasn't been told how to match my UPN/Email SAN/Subject/Serial to UID, nor an x.509 CA to use for user authentication). However, it kicking into gear has kicked me out of my ability to login :) I suspect the fix here is to explicitly toggle on gdm-smartcard when it's properly configured, rather than implicitly running when the right deps are installed and an x509 cert is found on an OpenSC token when it can't properly authenticate it. Fondly, paultag -- System Information: Debian Release: trixie/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.4.0-4-amd64 (SMP w/8 CPU threads; PREEMPT) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages gdm3 depends on: ii accountsservice 23.13.9-4 ii adduser 3.137 ii cool-retro-term [x-terminal-emulator] 1.2.0+ds2-1+b1 ii dbus [default-dbus-system-bus] 1.14.10-1 ii dbus-bin 1.14.10-1 ii dbus-daemon 1.14.10-1 ii dconf-cli 0.40.0-4 ii dconf-gsettings-backend 0.40.0-4 ii debconf [debconf-2.0] 1.5.82 ii foot [x-terminal-emulator] 1.15.3-1 ii gir1.2-gdm-1.0 45~beta-1 ii gnome-session [x-session-manager] 44.0-4 ii gnome-session-bin 44.0-4 ii gnome-session-common 44.0-4 ii gnome-settings-daemon 45~rc-1 ii gnome-shell 44.4-1 ii gnome-terminal [x-terminal-emulator] 3.49.99-1 ii gsettings-desktop-schemas 45~rc-1 ii libaccountsservice0 23.13.9-4 ii libaudit1 1:3.1.1-1 ii libc6 2.37-8 ii libcanberra-gtk3-0 0.30-10 ii libcanberra0 0.30-10 ii libgdk-pixbuf-2.0-0 2.42.10+dfsg-1+b1 ii libgdm1 45~beta-1 ii libglib2.0-0 2.78.0-1 ii libglib2.0-bin 2.78.0-1 ii libgtk-3-0 3.24.38-5 ii libgudev-1.0-0 238-2 ii libkeyutils1 1.6.3-2 ii libpam-modules 1.5.2-7 ii libpam-runtime 1.5.2-7 ii libpam-systemd [logind] 254.1-3 ii libpam0g 1.5.2-7 ii librsvg2-common 2.54.7+dfsg-2 ii libselinux1 3.5-1 ii libsystemd0 254.1-3 ii libx11-6 2:1.8.6-1 ii libxau6 1:1.0.9-1 ii libxcb1 1.15-1 ii libxdmcp6 1:1.1.2-3 ii polkitd 123-1 ii procps 2:4.0.3-1 ii systemd-sysv 254.1-3 ii ucf 3.0043+nmu1 ii x11-common 1:7.7+23 ii x11-xserver-utils 7.7+9+b1 ii xfce4-session [x-session-manager] 4.18.3-1 ii xfwm4 [x-window-manager] 4.18.0-1 ii xterm [x-terminal-emulator] 384-1 Versions of packages gdm3 recommends: ii at-spi2-core 2.49.91-2 ii desktop-base 12.0.6+nmu1 ii gnome-session [x-session-manager] 44.0-4 ii x11-xkb-utils 7.7+7 ii xfce4-session [x-session-manager] 4.18.3-1 ii xserver-xephyr 2:21.1.8-1 ii xserver-xorg 1:7.7+23 ii zenity 3.44.2-1 Versions of packages gdm3 suggests: pn libpam-fprintd <none> ii libpam-gnome-keyring 42.1-1+b2 pn libpam-pkcs11 <none> pn libpam-sss <none> ii orca 44.1-2 -- debconf information excluded
signature.asc
Description: PGP signature
