Hi, On giu 12 2025, at 3:18 pm, Simon McVittie <[email protected]> wrote:
> On Thu, 12 Jun 2025 at 14:24:36 +0200, Raphael Hertzog wrote: >> On Sat, 27 Jul 2024, Luca Boccassi wrote: >>> I can confirm this works (I too have a yubikey with a cert for >>> unrelated purposes). >> >> So we should deploy this by default IMO. I have setup a new computer >> today and I have again been bitten by this issue. Increasing severity >> to attract more eyes and maybe trigger an upload. > > As I said before, I'd prefer to have our expert on smart cards > involved > in this, rather than second-guessing his design. > > Marco: can we set > > [org/gnome/login-screen] > enable-smartcard-authentication=false > > by default in /etc/gdm3/greeter.dconf-defaults? That would be one more > thing that sysadmins have to adjust when they enrol smart cards for > authentication, but it seems preferable to having Yubikey/Nitrokey > users > unable to log in by default. In debian we actually have the `gdm-auth-config` that should allow to manage this without having to handle this, it also allows to use distro scripts (I did put one in our gdm's debian/* folder) that should handle things, but it may need tunings since my testing was quite in the past compared to when it landed upstream. So... I feel that such tool should be instead used to setup things, while it can be used by sysadmins quickly, in theory, to enable it back
