Your message dated Sun, 13 Jul 2025 22:49:03 +0000
with message-id <[email protected]>
and subject line Bug#1051785: fixed in gdm3 48.0-2
has caused the Debian Bug report #1051785,
regarding gdm3 won't allow logins when a smartcard/yubikey is plugged
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1051785: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051785
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Subject: gdm3 won't allow logins when a smarcard with a x.509 credential is
plugged in
Package: gdm3
Version: 45~beta-1
Severity: important
thanks
Hey GNOME maintainers,
I upgraded my sid system, and post-upgrade gdm3 isn't showing my face
when I reboot, and entering my username causes it to loop back to
username entry again (no password prompt). After some help from smcv, I
narrowed down the issue to the interactions between my smartcard
development tools installed locally and gdm3.
The journal shows the following output:
| Sep 12 10:18:47 nyx gdm-launch-environment][1851]:
pam_unix(gdm-launch-environment:session): session opened for user
Debian-gdm(uid=116) by (uid=0)
| Sep 12 10:18:49 nyx gdm-smartcard][2749]: PAM unable to dlopen(pam_sss.so):
/lib/security/pam_sss.so: cannot open shared object file: No such file or
directory
| Sep 12 10:18:49 nyx gdm-smartcard][2749]: PAM adding faulty module: pam_sss.so
| Sep 12 10:19:02 nyx gdm-smartcard][2749]: gkr-pam: no password is available
for user
| Sep 12 10:19:02 nyx gdm-smartcard][3505]: PAM unable to dlopen(pam_sss.so):
/lib/security/pam_sss.so: cannot open shared object file: No such file or
directory
| Sep 12 10:19:02 nyx gdm-smartcard][3505]: PAM adding faulty module: pam_sss.so
| Sep 12 10:19:03 nyx gdm-smartcard][3505]: gkr-pam: no password is available
for user
| Sep 12 10:19:03 nyx gdm-smartcard][3512]: PAM unable to dlopen(pam_sss.so):
/lib/security/pam_sss.so: cannot open shared object file: No such file or
directory
| Sep 12 10:19:03 nyx gdm-smartcard][3512]: PAM adding faulty module: pam_sss.so
| Sep 12 10:19:33 nyx gdm-smartcard][4045]: PAM unable to dlopen(pam_sss.so):
/lib/security/pam_sss.so: cannot open shared object file: No such file or
directory
| Sep 12 10:19:33 nyx gdm-smartcard][4045]: PAM adding faulty module: pam_sss.so
| Sep 12 10:19:34 nyx gdm-smartcard][4045]: gkr-pam: no password is available
for user
| Sep 12 10:19:34 nyx gdm-smartcard][4237]: PAM unable to dlopen(pam_sss.so):
/lib/security/pam_sss.so: cannot open shared object file: No such file or
directory
| Sep 12 10:19:34 nyx gdm-smartcard][4237]: PAM adding faulty module: pam_sss.so
(I do not have libpam-sss installed - after I got this error I installed
it to see if I could unlock myself, but it didn't do much and I purged
it again).
I have not configured my machine to use gdm-smartcard (nor do I want
to); but I do have a lot of smartcard stuff installed due to other hobby
work. I have NSS set up to talk with OpenSC, but that's only for TLS
keying material via GNOME, not system login.
When I unplugged my Yubikey which is both WebAuthN and a x.509
Smartcard, I was able to log in as usual.
My hunch is that I believe gdm-smartcard thinks it's supposed to kick
into gear and authenticate my smartcard, but it isn't configured to do
so (heck, it hasn't been told how to match my UPN/Email
SAN/Subject/Serial to UID, nor an x.509 CA to use for user
authentication). However, it kicking into gear has kicked me out of my
ability to login :)
I suspect the fix here is to explicitly toggle on gdm-smartcard when it's
properly configured, rather than implicitly running when the right deps
are installed and an x509 cert is found on an OpenSC token when it can't
properly authenticate it.
Fondly,
paultag
-- System Information:
Debian Release: trixie/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.4.0-4-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages gdm3 depends on:
ii accountsservice 23.13.9-4
ii adduser 3.137
ii cool-retro-term [x-terminal-emulator] 1.2.0+ds2-1+b1
ii dbus [default-dbus-system-bus] 1.14.10-1
ii dbus-bin 1.14.10-1
ii dbus-daemon 1.14.10-1
ii dconf-cli 0.40.0-4
ii dconf-gsettings-backend 0.40.0-4
ii debconf [debconf-2.0] 1.5.82
ii foot [x-terminal-emulator] 1.15.3-1
ii gir1.2-gdm-1.0 45~beta-1
ii gnome-session [x-session-manager] 44.0-4
ii gnome-session-bin 44.0-4
ii gnome-session-common 44.0-4
ii gnome-settings-daemon 45~rc-1
ii gnome-shell 44.4-1
ii gnome-terminal [x-terminal-emulator] 3.49.99-1
ii gsettings-desktop-schemas 45~rc-1
ii libaccountsservice0 23.13.9-4
ii libaudit1 1:3.1.1-1
ii libc6 2.37-8
ii libcanberra-gtk3-0 0.30-10
ii libcanberra0 0.30-10
ii libgdk-pixbuf-2.0-0 2.42.10+dfsg-1+b1
ii libgdm1 45~beta-1
ii libglib2.0-0 2.78.0-1
ii libglib2.0-bin 2.78.0-1
ii libgtk-3-0 3.24.38-5
ii libgudev-1.0-0 238-2
ii libkeyutils1 1.6.3-2
ii libpam-modules 1.5.2-7
ii libpam-runtime 1.5.2-7
ii libpam-systemd [logind] 254.1-3
ii libpam0g 1.5.2-7
ii librsvg2-common 2.54.7+dfsg-2
ii libselinux1 3.5-1
ii libsystemd0 254.1-3
ii libx11-6 2:1.8.6-1
ii libxau6 1:1.0.9-1
ii libxcb1 1.15-1
ii libxdmcp6 1:1.1.2-3
ii polkitd 123-1
ii procps 2:4.0.3-1
ii systemd-sysv 254.1-3
ii ucf 3.0043+nmu1
ii x11-common 1:7.7+23
ii x11-xserver-utils 7.7+9+b1
ii xfce4-session [x-session-manager] 4.18.3-1
ii xfwm4 [x-window-manager] 4.18.0-1
ii xterm [x-terminal-emulator] 384-1
Versions of packages gdm3 recommends:
ii at-spi2-core 2.49.91-2
ii desktop-base 12.0.6+nmu1
ii gnome-session [x-session-manager] 44.0-4
ii x11-xkb-utils 7.7+7
ii xfce4-session [x-session-manager] 4.18.3-1
ii xserver-xephyr 2:21.1.8-1
ii xserver-xorg 1:7.7+23
ii zenity 3.44.2-1
Versions of packages gdm3 suggests:
pn libpam-fprintd <none>
ii libpam-gnome-keyring 42.1-1+b2
pn libpam-pkcs11 <none>
pn libpam-sss <none>
ii orca 44.1-2
-- debconf information excluded
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: gdm3
Source-Version: 48.0-2
Done: Simon McVittie <[email protected]>
We believe that the bug you reported is fixed in the latest version of
gdm3, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon McVittie <[email protected]> (supplier of updated gdm3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 13 Jul 2025 20:08:32 +0100
Source: gdm3
Architecture: source
Version: 48.0-2
Distribution: unstable
Urgency: medium
Maintainer: Debian GNOME Maintainers
<[email protected]>
Changed-By: Simon McVittie <[email protected]>
Closes: 1051785 1096689 1105057
Changes:
gdm3 (48.0-2) unstable; urgency=medium
.
* Team upload
* d/greeter.dconf-defaults: Remove non-functional theming options.
The visual design of the greeter (login prompt) is no longer intended
to be configurable, and in particular the background is no longer
configurable, so none of the background-related settings have any
effect. The greeter also does not use GTK, so changing the GTK
theme has no effect on it.
Remove these options from the default configuration file so that
they will not mislead sysadmins. (Closes: #1105057)
* d/greeter.dconf-defaults: Add some useful example options.
Disabling fingerprint authentication is one of the examples given
in the GNOME System Administration Guide. The steps from that guide
won't actually work as-is on Debian (because we use a different
username for the greeter, #1107944) but we can make it as easy as
possible to do the equivalent.
Meanwhile, disabling smartcard authentication is a way to avoid the
presence of a smartcard having the side-effect of disabling the user
list, and in some configurations also the ability to log in with a
password (#1051785).
* d/gdm3.alternatives: When smart card authentication is re-enabled,
make gdm-smartcard-sssd-or-password the default.
With the previous default, gdm-smartcard-sssd-exclusive, if a smart
card was plugged in and libpam-sss was installed, we would reject
attempts to log in with a password. This is the most-hardened choice
if smart cards are being used for authentication, but prevents login
if the smart card has not been enrolled for authentication and is
actually being used for some other purpose such as OpenPGP or X509.
(Closes: #1051785)
* d/greeter.dconf-defaults: Disable smartcard authentication by default.
Enabling smartcard authentication has side-effects on other aspects of
greeter behaviour if a compatible smartcard happens to be connected:
in particular, it disables the user list, resulting in users being
required to type their username to log in.
Enrolling smartcards to be used for authentication requires sysadmin
action, so it seems reasonable to require the sysadmin to take action
to enable it after they have done the necessary enrolment step.
(Closes: #1051785)
* d/p/gdm-settings-utils-rename-variable-to-fix-build-with-gcc-.patch:
Add patch from upstream 49.alpha.0 to fix FTBFS in C23 mode.
This won't become relevant until gcc 15 becomes the default during
the forky cycle, but is a harmless change while we're uploading anyway.
(Closes: #1096689)
Checksums-Sha1:
dfba5596e42c01ed7df3dbecb752d19cebcd1c86 3208 gdm3_48.0-2.dsc
b9e359e03e6c5273964e159948562315de5071b8 86860 gdm3_48.0-2.debian.tar.xz
a9269b9fa53256868cab293e376974e9ca840170 16401 gdm3_48.0-2_source.buildinfo
Checksums-Sha256:
8eadada57b7f29f20cedfabc95434bf64c8342ac9a33d6d526cac103b51a3ecf 3208
gdm3_48.0-2.dsc
3bacef59fee6fe06ccb15c81e8313fa3a68228f6289b889b518c43cfc5a21242 86860
gdm3_48.0-2.debian.tar.xz
df4bea5c47acc826e0dc12e7bb66ccc80bff15c15d98300b0501a69f5bd01efc 16401
gdm3_48.0-2_source.buildinfo
Files:
24af7805ab175fd3431c620cac0d5e0b 3208 gnome optional gdm3_48.0-2.dsc
3cf84c15def8c2cb1e0c1668eea0b361 86860 gnome optional gdm3_48.0-2.debian.tar.xz
fa6a4aa5f485e9a782cb1574551ce42a 16401 gnome optional
gdm3_48.0-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEegc60a5pT6Jb/2LlI1wJnT6zMHYFAmh0MwcACgkQI1wJnT6z
MHZxeBAAweUXi1a/Zy74r8M7tBD6bwuT4y4x9Mhjmn4G+XGbsryvs2qmloCVpkpk
jwHwi18gPb+WaxaNb+bQM1DiSt2io2NncJt3Gkw0UdPq+tfYpzBaLJiJBhl9sgJE
vtnSr/a1iu0SYvUGXXPp3fwQJ3g3jDHtNDlhw/JsTJVKF+g3wdweWXUsKhCOJSzX
PCKXa5FoyiFTxDhiKyRuW0JB4LZU9LyFtc/r+DIEQz0x5MgQ5oxOVIpr/c/P40zZ
2TNUSegDbMI1S/hXk586xuCvDuzDNR0rM5E+ELJRAjiWHPqNMB0r7wVd+d1RPJ70
FU9/Kr0ye/Glh654LvVcGsYNB0BA4u8iBLRFjUawIiZmujk6Q1+rufdmjEQrtGjW
Ep0HaKkaRNkT9+/ovgV7B81OXmZO9lJHfb27x3zES7sLApfNDRwgWEMFXOCUkyXP
OnuERhRMpVP+wLOes/cjaHiKuKGqPgJiJnkptmR9gb9HQgGUB0d6Yw3WMdeHtAbt
tIzzkBAEZo2a7OdGCwPYook9u15Q2PzsXNOmTNsPAoM0c9+dKTFgpAh1rKJp2DdH
iRBiAEywU54VtdmO1Jkzituy5W5A8lfaZKZMy/L8Ps5WRAiHTmVT25KM9Z37aF55
HJPeZRhGMwlIwLTPWAS8jgXy0c6nGi/8R0Ia4BvJv0kHlFK3bTI=
=NwAa
-----END PGP SIGNATURE-----
pgppxAV7moLTF.pgp
Description: PGP signature
--- End Message ---
