By default GDM switches to smartcard mode once one is plugged in, smartcard auth can be disabled at gdm level though, by changing the gsettings.
sudo -u gdm env -u XDG_RUNTIME_DIR -u DISPLAY DCONF_PROFILE=gdm dbus-run-session \ gsettings set org.gnome.login-screen enable-smartcard-authentication false -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-shell in Ubuntu. https://bugs.launchpad.net/bugs/1933027 Title: Gdm3 with smartcard asks for login/smartcard pin even if there is no smartcard authentication enabled Status in gdm3 package in Ubuntu: Confirmed Status in gnome-shell package in Ubuntu: Confirmed Bug description: I use my Ubuntu PC with Yubikey almost always plugged in. It provides several security token interfaces, such as U2F, GPG smartcard, proprieritary Yubico interfaces (of which I mostly use TOTP codes), and also PIV smartcard. However, I haven't configured a PIV smartcard on it. Whenever I login into the system having Yubikey plugged in, I'm prompted for login name, and then for PIN for some smartcard while also being asked to plug in one. This is very misleading on several layers: 1. I have the device providing smartcard plugged id, 2. But it's not the smartcard GDM would think it is as it's not configured properly, 3. There are no local smartcard-authenticating users right now in the system, 3. There are no remote authentication systems configured on the system (so no ActiveDirectory-smartcard logins or such). If I unplug the token UX goes back on old good track. Given the circumstances above, I'd consider that GDM (and, on my bet, any PAM configuration it uses) shouldn't offer to login using smartcard if there is no way to actually do so. I feel something is off here, so I'm reporting a bug. It could be an upstream problem though; it also could be an upstream SSSD problem, or all combined. I believe there is a more clear user experience: 1. GDM should display users that can login into the system, as it always does (if configured). It may also provide entering other login name (also if configured). This is GDM usually does without smartcards altogether. 2. When user is chosen (from the list or manually typed in), check can this user even authenticate with smartcards (i.e. if any of available smartcards is actually recognised for this user). If so, then ask for PIN. Else, don't show anything about smartcards at all (this includes when SSSD is not configured for any AD or related and this user has no local smartcard configuration). This can switch there & back based on device events. I've seen other OS doing this. Ubuntu/Gnome session doesn't ask me for PIN for a smartcard on a lock screen, so I guess it doesn't support it at all or correctly finds out it can't be used. Even more, I couldn't find a way to actually add my smartcard as a local login method. ProblemType: Bug DistroRelease: Ubuntu 21.04 Package: gdm3 3.38.2.1-2ubuntu1 ProcVersionSignature: Ubuntu 5.11.0-18.19-generic 5.11.17 Uname: Linux 5.11.0-18-generic x86_64 NonfreeKernelModules: nvidia_modeset nvidia ApportVersion: 2.20.11-0ubuntu65.1 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: ubuntu:GNOME Date: Sun Jun 20 14:02:02 2021 InstallationDate: Installed on 2017-03-05 (1567 days ago) InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1) ProcEnviron: TERM=tmux-256color PATH=(custom, no user) XDG_RUNTIME_DIR=<set> LANG=ru_RU.UTF-8 SHELL=/bin/bash SourcePackage: gdm3 UpgradeStatus: Upgraded to hirsute on 2021-05-13 (37 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gdm3/+bug/1933027/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
