Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1051785: gdm3 won't allow logins when a smarcard with a x.509 credential is plugged in
234 views
Skip to first unread message
Paul Tagliamonte
Sep 12, 2023, 11:00:05 AM9/12/23
to
Subject: gdm3 won't allow logins when a smarcard with a x.509 credential is plugged in
Package: gdm3
Version: 45~beta-1
Severity: important
thanks
Hey GNOME maintainers,
I upgraded my sid system, and post-upgrade gdm3 isn't showing my face
when I reboot, and entering my username causes it to loop back to
username entry again (no password prompt). After some help from smcv, I
narrowed down the issue to the interactions between my smartcard
development tools installed locally and gdm3.
The journal shows the following output:
| Sep 12 10:18:47 nyx gdm-launch-environment][1851]: pam_unix(gdm-launch-environment:session): session opened for user Debian-gdm(uid=116) by (uid=0)
| Sep 12 10:18:49 nyx gdm-smartcard][2749]: PAM unable to dlopen(pam_sss.so): /lib/security/pam_sss.so: cannot open shared object file: No such file or directory
| Sep 12 10:18:49 nyx gdm-smartcard][2749]: PAM adding faulty module: pam_sss.so
| Sep 12 10:19:02 nyx gdm-smartcard][2749]: gkr-pam: no password is available for user
| Sep 12 10:19:02 nyx gdm-smartcard][3505]: PAM unable to dlopen(pam_sss.so): /lib/security/pam_sss.so: cannot open shared object file: No such file or directory
| Sep 12 10:19:02 nyx gdm-smartcard][3505]: PAM adding faulty module: pam_sss.so
| Sep 12 10:19:03 nyx gdm-smartcard][3505]: gkr-pam: no password is available for user
| Sep 12 10:19:03 nyx gdm-smartcard][3512]: PAM unable to dlopen(pam_sss.so): /lib/security/pam_sss.so: cannot open shared object file: No such file or directory
| Sep 12 10:19:03 nyx gdm-smartcard][3512]: PAM adding faulty module: pam_sss.so
| Sep 12 10:19:33 nyx gdm-smartcard][4045]: PAM unable to dlopen(pam_sss.so): /lib/security/pam_sss.so: cannot open shared object file: No such file or directory
| Sep 12 10:19:33 nyx gdm-smartcard][4045]: PAM adding faulty module: pam_sss.so
| Sep 12 10:19:34 nyx gdm-smartcard][4045]: gkr-pam: no password is available for user
| Sep 12 10:19:34 nyx gdm-smartcard][4237]: PAM unable to dlopen(pam_sss.so): /lib/security/pam_sss.so: cannot open shared object file: No such file or directory
| Sep 12 10:19:34 nyx gdm-smartcard][4237]: PAM adding faulty module: pam_sss.so
(I do not have libpam-sss installed - after I got this error I installed
it to see if I could unlock myself, but it didn't do much and I purged
it again).
I have not configured my machine to use gdm-smartcard (nor do I want
to); but I do have a lot of smartcard stuff installed due to other hobby
work. I have NSS set up to talk with OpenSC, but that's only for TLS
keying material via GNOME, not system login.
When I unplugged my Yubikey which is both WebAuthN and a x.509
Smartcard, I was able to log in as usual.
My hunch is that I believe gdm-smartcard thinks it's supposed to kick
into gear and authenticate my smartcard, but it isn't configured to do
so (heck, it hasn't been told how to match my UPN/Email
SAN/Subject/Serial to UID, nor an x.509 CA to use for user
authentication). However, it kicking into gear has kicked me out of my
ability to login :)
I suspect the fix here is to explicitly toggle on gdm-smartcard when it's
properly configured, rather than implicitly running when the right deps
are installed and an x509 cert is found on an OpenSC token when it can't
properly authenticate it.
Fondly,
paultag
-- System Information:
Debian Release: trixie/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.4.0-4-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages gdm3 depends on:
ii accountsservice 23.13.9-4
ii adduser 3.137
ii cool-retro-term [x-terminal-emulator] 1.2.0+ds2-1+b1
ii dbus [default-dbus-system-bus] 1.14.10-1
ii dbus-bin 1.14.10-1
ii dbus-daemon 1.14.10-1
ii dconf-cli 0.40.0-4
ii dconf-gsettings-backend 0.40.0-4
ii debconf [debconf-2.0] 1.5.82
ii foot [x-terminal-emulator] 1.15.3-1
ii gir1.2-gdm-1.0 45~beta-1
ii gnome-session [x-session-manager] 44.0-4
ii gnome-session-bin 44.0-4
ii gnome-session-common 44.0-4
ii gnome-settings-daemon 45~rc-1
ii gnome-shell 44.4-1
ii gnome-terminal [x-terminal-emulator] 3.49.99-1
ii gsettings-desktop-schemas 45~rc-1
ii libaccountsservice0 23.13.9-4
ii libaudit1 1:3.1.1-1
ii libc6 2.37-8
ii libcanberra-gtk3-0 0.30-10
ii libcanberra0 0.30-10
ii libgdk-pixbuf-2.0-0 2.42.10+dfsg-1+b1
ii libgdm1 45~beta-1
ii libglib2.0-0 2.78.0-1
ii libglib2.0-bin 2.78.0-1
ii libgtk-3-0 3.24.38-5
ii libgudev-1.0-0 238-2
ii libkeyutils1 1.6.3-2
ii libpam-modules 1.5.2-7
ii libpam-runtime 1.5.2-7
ii libpam-systemd [logind] 254.1-3
ii libpam0g 1.5.2-7
ii librsvg2-common 2.54.7+dfsg-2
ii libselinux1 3.5-1
ii libsystemd0 254.1-3
ii libx11-6 2:1.8.6-1
ii libxau6 1:1.0.9-1
ii libxcb1 1.15-1
ii libxdmcp6 1:1.1.2-3
ii polkitd 123-1
ii procps 2:4.0.3-1
ii systemd-sysv 254.1-3
ii ucf 3.0043+nmu1
ii x11-common 1:7.7+23
ii x11-xserver-utils 7.7+9+b1
ii xfce4-session [x-session-manager] 4.18.3-1
ii xfwm4 [x-window-manager] 4.18.0-1
ii xterm [x-terminal-emulator] 384-1
Versions of packages gdm3 recommends:
ii at-spi2-core 2.49.91-2
ii desktop-base 12.0.6+nmu1
ii gnome-session [x-session-manager] 44.0-4
ii x11-xkb-utils 7.7+7
ii xfce4-session [x-session-manager] 4.18.3-1
ii xserver-xephyr 2:21.1.8-1
ii xserver-xorg 1:7.7+23
ii zenity 3.44.2-1
Versions of packages gdm3 suggests:
pn libpam-fprintd <none>
ii libpam-gnome-keyring 42.1-1+b2
pn libpam-pkcs11 <none>
pn libpam-sss <none>
ii orca 44.1-2
-- debconf information excluded
Package: gdm3
Version: 45~beta-1
Severity: important
thanks
Hey GNOME maintainers,
I upgraded my sid system, and post-upgrade gdm3 isn't showing my face
when I reboot, and entering my username causes it to loop back to
username entry again (no password prompt). After some help from smcv, I
narrowed down the issue to the interactions between my smartcard
development tools installed locally and gdm3.
The journal shows the following output:
| Sep 12 10:18:47 nyx gdm-launch-environment][1851]: pam_unix(gdm-launch-environment:session): session opened for user Debian-gdm(uid=116) by (uid=0)
| Sep 12 10:18:49 nyx gdm-smartcard][2749]: PAM unable to dlopen(pam_sss.so): /lib/security/pam_sss.so: cannot open shared object file: No such file or directory
| Sep 12 10:18:49 nyx gdm-smartcard][2749]: PAM adding faulty module: pam_sss.so
| Sep 12 10:19:02 nyx gdm-smartcard][2749]: gkr-pam: no password is available for user
| Sep 12 10:19:02 nyx gdm-smartcard][3505]: PAM unable to dlopen(pam_sss.so): /lib/security/pam_sss.so: cannot open shared object file: No such file or directory
| Sep 12 10:19:02 nyx gdm-smartcard][3505]: PAM adding faulty module: pam_sss.so
| Sep 12 10:19:03 nyx gdm-smartcard][3505]: gkr-pam: no password is available for user
| Sep 12 10:19:03 nyx gdm-smartcard][3512]: PAM unable to dlopen(pam_sss.so): /lib/security/pam_sss.so: cannot open shared object file: No such file or directory
| Sep 12 10:19:03 nyx gdm-smartcard][3512]: PAM adding faulty module: pam_sss.so
| Sep 12 10:19:33 nyx gdm-smartcard][4045]: PAM unable to dlopen(pam_sss.so): /lib/security/pam_sss.so: cannot open shared object file: No such file or directory
| Sep 12 10:19:33 nyx gdm-smartcard][4045]: PAM adding faulty module: pam_sss.so
| Sep 12 10:19:34 nyx gdm-smartcard][4045]: gkr-pam: no password is available for user
| Sep 12 10:19:34 nyx gdm-smartcard][4237]: PAM unable to dlopen(pam_sss.so): /lib/security/pam_sss.so: cannot open shared object file: No such file or directory
| Sep 12 10:19:34 nyx gdm-smartcard][4237]: PAM adding faulty module: pam_sss.so
(I do not have libpam-sss installed - after I got this error I installed
it to see if I could unlock myself, but it didn't do much and I purged
it again).
I have not configured my machine to use gdm-smartcard (nor do I want
to); but I do have a lot of smartcard stuff installed due to other hobby
work. I have NSS set up to talk with OpenSC, but that's only for TLS
keying material via GNOME, not system login.
When I unplugged my Yubikey which is both WebAuthN and a x.509
Smartcard, I was able to log in as usual.
My hunch is that I believe gdm-smartcard thinks it's supposed to kick
into gear and authenticate my smartcard, but it isn't configured to do
so (heck, it hasn't been told how to match my UPN/Email
SAN/Subject/Serial to UID, nor an x.509 CA to use for user
authentication). However, it kicking into gear has kicked me out of my
ability to login :)
I suspect the fix here is to explicitly toggle on gdm-smartcard when it's
properly configured, rather than implicitly running when the right deps
are installed and an x509 cert is found on an OpenSC token when it can't
properly authenticate it.
Fondly,
paultag
-- System Information:
Debian Release: trixie/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.4.0-4-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages gdm3 depends on:
ii accountsservice 23.13.9-4
ii adduser 3.137
ii cool-retro-term [x-terminal-emulator] 1.2.0+ds2-1+b1
ii dbus [default-dbus-system-bus] 1.14.10-1
ii dbus-bin 1.14.10-1
ii dbus-daemon 1.14.10-1
ii dconf-cli 0.40.0-4
ii dconf-gsettings-backend 0.40.0-4
ii debconf [debconf-2.0] 1.5.82
ii foot [x-terminal-emulator] 1.15.3-1
ii gir1.2-gdm-1.0 45~beta-1
ii gnome-session [x-session-manager] 44.0-4
ii gnome-session-bin 44.0-4
ii gnome-session-common 44.0-4
ii gnome-settings-daemon 45~rc-1
ii gnome-shell 44.4-1
ii gnome-terminal [x-terminal-emulator] 3.49.99-1
ii gsettings-desktop-schemas 45~rc-1
ii libaccountsservice0 23.13.9-4
ii libaudit1 1:3.1.1-1
ii libc6 2.37-8
ii libcanberra-gtk3-0 0.30-10
ii libcanberra0 0.30-10
ii libgdk-pixbuf-2.0-0 2.42.10+dfsg-1+b1
ii libgdm1 45~beta-1
ii libglib2.0-0 2.78.0-1
ii libglib2.0-bin 2.78.0-1
ii libgtk-3-0 3.24.38-5
ii libgudev-1.0-0 238-2
ii libkeyutils1 1.6.3-2
ii libpam-modules 1.5.2-7
ii libpam-runtime 1.5.2-7
ii libpam-systemd [logind] 254.1-3
ii libpam0g 1.5.2-7
ii librsvg2-common 2.54.7+dfsg-2
ii libselinux1 3.5-1
ii libsystemd0 254.1-3
ii libx11-6 2:1.8.6-1
ii libxau6 1:1.0.9-1
ii libxcb1 1.15-1
ii libxdmcp6 1:1.1.2-3
ii polkitd 123-1
ii procps 2:4.0.3-1
ii systemd-sysv 254.1-3
ii ucf 3.0043+nmu1
ii x11-common 1:7.7+23
ii x11-xserver-utils 7.7+9+b1
ii xfce4-session [x-session-manager] 4.18.3-1
ii xfwm4 [x-window-manager] 4.18.0-1
ii xterm [x-terminal-emulator] 384-1
Versions of packages gdm3 recommends:
ii at-spi2-core 2.49.91-2
ii desktop-base 12.0.6+nmu1
ii gnome-session [x-session-manager] 44.0-4
ii x11-xkb-utils 7.7+7
ii xfce4-session [x-session-manager] 4.18.3-1
ii xserver-xephyr 2:21.1.8-1
ii xserver-xorg 1:7.7+23
ii zenity 3.44.2-1
Versions of packages gdm3 suggests:
pn libpam-fprintd <none>
ii libpam-gnome-keyring 42.1-1+b2
pn libpam-pkcs11 <none>
pn libpam-sss <none>
ii orca 44.1-2
-- debconf information excluded
Simon McVittie
Sep 12, 2023, 12:40:04 PM9/12/23
to
On Tue, 12 Sep 2023 at 10:52:16 -0400, Paul Tagliamonte wrote:
> I have NSS set up to talk with OpenSC
"NSS" is unfortunately ambiguous in this context. Is this the glibc Name
> I have NSS set up to talk with OpenSC
Service Switch (the thing that for example libnss-systemd integrates
with), or Mozilla's Netscape Security Services (libnss3), or some secret
third thing also named NSS?
Whichever one it is, can you be more specific about what was involved in
"setting it up to talk with OpenSC"?
smcv
Paul Tagliamonte
Sep 12, 2023, 12:50:05 PM9/12/23
to
On Tue, Sep 12, 2023 at 05:27:15PM +0100, Simon McVittie wrote:
> On Tue, 12 Sep 2023 at 10:52:16 -0400, Paul Tagliamonte wrote:
> > I have NSS set up to talk with OpenSC
>
> "NSS" is unfortunately ambiguous in this context. Is this the glibc Name
> Service Switch (the thing that for example libnss-systemd integrates
> with), or Mozilla's Netscape Security Services (libnss3), or some secret
> third thing also named NSS?
Ah, very sorry. libnss3.
> On Tue, 12 Sep 2023 at 10:52:16 -0400, Paul Tagliamonte wrote:
> > I have NSS set up to talk with OpenSC
>
> "NSS" is unfortunately ambiguous in this context. Is this the glibc Name
> Service Switch (the thing that for example libnss-systemd integrates
> with), or Mozilla's Netscape Security Services (libnss3), or some secret
> third thing also named NSS?
I usually use OpenSC in the following configuration:
```
modutil -add "OpenSC" \
-libfile /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so \
-dbdir sql:$HOME/.pki/nssdb
```
However, when I went to confirm my notes[1] against my running system, I
found it to be in a different state (using onepin-opensc-pkcs11.so,
which is new to me):
| An aside:
|
| [1]: My notes are in the form of manpages for stuf I do infrequently but
| want to remember. Here's a markdon of the yubkey manpage when I noodle
| with using it in OpenSC mode, in case this is helpful for more
| information: https://gist.github.com/paultag/2c35b62e85a032856c2cb97345c3d24d
|
| That's from 2017, so the world has changed quite a bit, and some of it
| is bad / outdated advice, so I'd just use it to help understand likely
| system configuration than best practice -- for instance, don't use
| pkcs#11 for ssh keys anymore pls :)
Related output when using `modutil -list -dbdir sql:$HOME/.pki/nssdb`
I'm seeing a slightly different configuration (hurmm, odd):
```
2. OpenSC smartcard framework (0.22)
library name: /usr/lib/x86_64-linux-gnu/onepin-opensc-pkcs11.so
uri: pkcs11:library-manufacturer=OpenSC%20Project;library-description=OpenSC%20smartcard%20framework;library-version=0.23
slots: 1 slot attached
status: loaded
slot:
token:
uri: pkcs11:
```
dpkg output from the packages I know about off the top of my head that
would be involved that aren't in the last report:
ii opensc 0.23.0-1 amd64 Smart card utilities with support for PKCS#15 compatible cards
ii opensc-pkcs11:amd64 0.23.0-1 amd64 Smart card utilities (PKCS#11 module)
ii libnss3:amd64 2:3.92-1 amd64 Network Security Service libraries
ii libnss3-dev:amd64 2:3.92-1 amd64 Development files for the Network Security Service libraries
ii libnss3-tools 2:3.92-1 amd64 Network Security Service tools
ii libykpiv-dev:amd64 2.2.0-1.1 amd64 Development files for the YubiKey PIV Library
ii libykpiv2:amd64 2.2.0-1.1 amd64 Library for communication with the YubiKey PIV smartcard
ii pcscd 2.0.0-1 amd64 Middleware to access a smart card using PC/SC (daemon side)
ii libccid 1.5.2-1 amd64 PC/SC driver for USB CCID smart card readers
--
:wq
Raphael Hertzog
Sep 14, 2023, 5:40:06 AM9/14/23
to
Hello,
On Tue, 12 Sep 2023, Paul Tagliamonte wrote:
> I upgraded my sid system, and post-upgrade gdm3 isn't showing my face
> when I reboot, and entering my username causes it to loop back to
> username entry again (no password prompt). After some help from smcv, I
> narrowed down the issue to the interactions between my smartcard
> development tools installed locally and gdm3.
In my case, I don't have any "smartcard development tools" (at least not
on purpose), I just have a smartcard inserted with a single GPG key used
for "authentication" (i.e. mainly for SSH logins).
$ gpg --card-status
Reader ...........: Alcor Micro AU9540 00 00
Application ID ...: D2760001240102010005000040DD0000
Application type .: OpenPGP
Version ..........: 2.1
Manufacturer .....: ZeitControl
[...]
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: 1CAC 8718 CAA0 C7B9 1EC0 E907 F1CA EE10 6CE6 97F8
created ....: 2022-01-19 08:31:51
> (I do not have libpam-sss installed - after I got this error I installed
> it to see if I could unlock myself, but it didn't do much and I purged
> it again).
At least after I installed libpam-sss, I got an error message asking me
to introduce another smartcard so we could indeed figure out that it was
related to the smartcard.
> My hunch is that I believe gdm-smartcard thinks it's supposed to kick
> into gear and authenticate my smartcard, but it isn't configured to do
> so (heck, it hasn't been told how to match my UPN/Email
> SAN/Subject/Serial to UID, nor an x.509 CA to use for user
> authentication). However, it kicking into gear has kicked me out of my
> ability to login :)
That's likely due to the fact that gdm-smartcard required dependencies
(at least libpam-sss) were missing. So yeah it seems like that
gdm-smartcard should have a better failure mode when its prerequisites are
missing.
Putting here the reportbug generated info for the computer where I
experienced the issue:
Debian Release: trixie/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'stable-security'), (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 6.4.0-4-amd64 (SMP w/16 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
ii mutter [x-window-manager] 44.4-2
--
⢀⣴⠾⠻⢶⣦⠀ Raphaël Hertzog <her...@debian.org>
⣾⠁⢠⠒⠀⣿⡁
⢿⡄⠘⠷⠚⠋ The Debian Handbook: https://debian-handbook.info/get/
⠈⠳⣄⠀⠀⠀⠀ Debian Long Term Support: https://deb.li/LTS
On Tue, 12 Sep 2023, Paul Tagliamonte wrote:
> I upgraded my sid system, and post-upgrade gdm3 isn't showing my face
> when I reboot, and entering my username causes it to loop back to
> username entry again (no password prompt). After some help from smcv, I
> narrowed down the issue to the interactions between my smartcard
> development tools installed locally and gdm3.
on purpose), I just have a smartcard inserted with a single GPG key used
for "authentication" (i.e. mainly for SSH logins).
$ gpg --card-status
Reader ...........: Alcor Micro AU9540 00 00
Application ID ...: D2760001240102010005000040DD0000
Application type .: OpenPGP
Version ..........: 2.1
Manufacturer .....: ZeitControl
[...]
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: 1CAC 8718 CAA0 C7B9 1EC0 E907 F1CA EE10 6CE6 97F8
created ....: 2022-01-19 08:31:51
> (I do not have libpam-sss installed - after I got this error I installed
> it to see if I could unlock myself, but it didn't do much and I purged
> it again).
to introduce another smartcard so we could indeed figure out that it was
related to the smartcard.
> My hunch is that I believe gdm-smartcard thinks it's supposed to kick
> into gear and authenticate my smartcard, but it isn't configured to do
> so (heck, it hasn't been told how to match my UPN/Email
> SAN/Subject/Serial to UID, nor an x.509 CA to use for user
> authentication). However, it kicking into gear has kicked me out of my
> ability to login :)
(at least libpam-sss) were missing. So yeah it seems like that
gdm-smartcard should have a better failure mode when its prerequisites are
missing.
Putting here the reportbug generated info for the computer where I
experienced the issue:
Debian Release: trixie/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'stable-security'), (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 6.4.0-4-amd64 (SMP w/16 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages gdm3 depends on:
ii accountsservice 23.13.9-4
ii adduser 3.137
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages gdm3 depends on:
ii accountsservice 23.13.9-4
ii adduser 3.137
ii dbus [default-dbus-system-bus] 1.14.10-1
ii dbus-bin 1.14.10-1
ii dbus-daemon 1.14.10-1
ii dconf-cli 0.40.0-4
ii dconf-gsettings-backend 0.40.0-4
ii debconf [debconf-2.0] 1.5.82
ii dbus-bin 1.14.10-1
ii dbus-daemon 1.14.10-1
ii dconf-cli 0.40.0-4
ii dconf-gsettings-backend 0.40.0-4
ii debconf [debconf-2.0] 1.5.82
ii gir1.2-gdm-1.0 45~beta-1
ii gnome-session [x-session-manager] 44.0-4
ii gnome-session-bin 44.0-4
ii gnome-session-common 44.0-4
ii gnome-settings-daemon 45~rc-1
ii gnome-shell 44.4-1
ii gnome-terminal [x-terminal-emulator] 3.49.99-1
ii gsettings-desktop-schemas 45~rc-1
ii libaccountsservice0 23.13.9-4
ii libaudit1 1:3.1.1-1
ii libc6 2.37-7
ii gnome-session [x-session-manager] 44.0-4
ii gnome-session-bin 44.0-4
ii gnome-session-common 44.0-4
ii gnome-settings-daemon 45~rc-1
ii gnome-shell 44.4-1
ii gnome-terminal [x-terminal-emulator] 3.49.99-1
ii gsettings-desktop-schemas 45~rc-1
ii libaccountsservice0 23.13.9-4
ii libaudit1 1:3.1.1-1
ii libcanberra-gtk3-0 0.30-10
ii libcanberra0 0.30-10
ii libgdk-pixbuf-2.0-0 2.42.10+dfsg-1+b1
ii libgdm1 45~beta-1
ii libglib2.0-0 2.78.0-1
ii libglib2.0-bin 2.78.0-1
ii libgtk-3-0 3.24.38-5
ii libgudev-1.0-0 237-2
ii libcanberra0 0.30-10
ii libgdk-pixbuf-2.0-0 2.42.10+dfsg-1+b1
ii libgdm1 45~beta-1
ii libglib2.0-0 2.78.0-1
ii libglib2.0-bin 2.78.0-1
ii libgtk-3-0 3.24.38-5
ii libkeyutils1 1.6.3-2
ii libpam-modules 1.5.2-7
ii libpam-runtime 1.5.2-7
ii libpam-systemd [logind] 254.1-3
ii libpam0g 1.5.2-7
ii librsvg2-common 2.54.7+dfsg-2
ii libselinux1 3.5-1
ii libsystemd0 254.1-3
ii libx11-6 2:1.8.6-1
ii libxau6 1:1.0.9-1
ii libxcb1 1.15-1
ii libxdmcp6 1:1.1.2-3
ii metacity [x-window-manager] 1:3.49.1-1
ii libpam-modules 1.5.2-7
ii libpam-runtime 1.5.2-7
ii libpam-systemd [logind] 254.1-3
ii libpam0g 1.5.2-7
ii librsvg2-common 2.54.7+dfsg-2
ii libselinux1 3.5-1
ii libsystemd0 254.1-3
ii libx11-6 2:1.8.6-1
ii libxau6 1:1.0.9-1
ii libxcb1 1.15-1
ii libxdmcp6 1:1.1.2-3
ii mutter [x-window-manager] 44.4-2
ii polkitd 123-1
ii procps 2:4.0.3-1
ii systemd-sysv 254.1-3
ii ucf 3.0043+nmu1
ii x11-common 1:7.7+23
ii x11-xserver-utils 7.7+9+b1
ii procps 2:4.0.3-1
ii systemd-sysv 254.1-3
ii ucf 3.0043+nmu1
ii x11-common 1:7.7+23
ii x11-xserver-utils 7.7+9+b1
ii xterm [x-terminal-emulator] 384-1
Versions of packages gdm3 recommends:
ii at-spi2-core 2.49.91-2
ii desktop-base 12.0.6+nmu1
ii gnome-session [x-session-manager] 44.0-4
ii x11-xkb-utils 7.7+7
Versions of packages gdm3 recommends:
ii at-spi2-core 2.49.91-2
ii desktop-base 12.0.6+nmu1
ii gnome-session [x-session-manager] 44.0-4
ii x11-xkb-utils 7.7+7
ii xserver-xephyr 2:21.1.8-1
ii xserver-xorg 1:7.7+23
ii zenity 3.44.2-1
Versions of packages gdm3 suggests:
pn libpam-fprintd <none>
ii libpam-gnome-keyring 42.1-1+b2
pn libpam-pkcs11 <none>
pn libpam-sss <none>
ii orca 44.1-2
Cheers,
ii xserver-xorg 1:7.7+23
ii zenity 3.44.2-1
Versions of packages gdm3 suggests:
pn libpam-fprintd <none>
ii libpam-gnome-keyring 42.1-1+b2
pn libpam-pkcs11 <none>
pn libpam-sss <none>
ii orca 44.1-2
--
⢀⣴⠾⠻⢶⣦⠀ Raphaël Hertzog <her...@debian.org>
⣾⠁⢠⠒⠀⣿⡁
⢿⡄⠘⠷⠚⠋ The Debian Handbook: https://debian-handbook.info/get/
⠈⠳⣄⠀⠀⠀⠀ Debian Long Term Support: https://deb.li/LTS
Paul Tagliamonte
Sep 14, 2023, 10:00:05 AM9/14/23
to
On Thu, Sep 14, 2023 at 11:25:57AM +0200, Raphael Hertzog wrote:
> In my case, I don't have any "smartcard development tools" (at least not
> on purpose), I just have a smartcard inserted with a single GPG key used
> for "authentication" (i.e. mainly for SSH logins).
Ahha! As do I! I removed all my tokens, and understood smartcard to mean
> In my case, I don't have any "smartcard development tools" (at least not
> on purpose), I just have a smartcard inserted with a single GPG key used
> for "authentication" (i.e. mainly for SSH logins).
an x.509 credential. My Debian signing key is on Hardware as well.
> $ gpg --card-status
> Reader ...........: Alcor Micro AU9540 00 00
> Application ID ...: D2760001240102010005000040DD0000
> Application type .: OpenPGP
> Version ..........: 2.1
> Manufacturer .....: ZeitControl
> [...]
> Key attributes ...: rsa2048 rsa2048 rsa2048
> Max. PIN lengths .: 32 32 32
> PIN retry counter : 3 0 3
> Signature counter : 0
> Signature key ....: [none]
> Encryption key....: [none]
> Authentication key: 1CAC 8718 CAA0 C7B9 1EC0 E907 F1CA EE10 6CE6 97F8
> created ....: 2022-01-19 08:31:51
Application ID ...: D2760001240102010006075352630000
Application type .: OpenPGP
Version ..........: 2.1
Manufacturer .....: Yubico
Version ..........: 2.1
[...]
Name of cardholder: [not set]
Language prefs ...: [not set]
Salutation .......:
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: rsa4096 rsa4096 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : [...]
Signature counter : [...]
Signature key ....: B7EC F42D DFD9 8AC7 301C 062B 1101 AD5A 8136 9AD7
created ....: 2019-02-09 15:52:11
paultag
--
⢀⣴⠾⠻⢶⣦⠀ Paul Tagliamonte <paultag>
⣾⠁⢠⠒⠀⣿⡁ https://people.debian.org/~paultag | https://pault.ag/
⢿⡄⠘⠷⠚⠋ Debian, the universal operating system.
⠈⠳⣄⠀⠀ 4096R / FEF2 EB20 16E6 A856 B98C E820 2DCD 6B5D E858 ADF3
Harlan Lieberman-Berg
Sep 15, 2023, 12:10:04 PM9/15/23
to
On Tue, 12 Sep 2023 10:52:16 -0400 Paul Tagliamonte <pau...@gmail.com> wrote:
> I upgraded my sid system, and post-upgrade gdm3 isn't showing my face
> when I reboot, and entering my username causes it to loop back to
> username entry again (no password prompt).
Hello all,
> I upgraded my sid system, and post-upgrade gdm3 isn't showing my face
> when I reboot, and entering my username causes it to loop back to
> username entry again (no password prompt).
I've gotten bitten by this one too, I'm afraid, this time in Debian testing.
Potentially interestingly, though I do have a PKCS#11 token inserted,
it has no certificates on it. That's still enough to trigger the bug,
however, even though there is no certificate for it to even attempt to
auth against.
For example:
```
❯ pkcs11-tool -L
Available slots:
Slot 0 (0x0): Yubico YubiKey OTP+FIDO+CCID 00 00
token label : PIV_II
token manufacturer : piv_II
token model : PKCS#15 emulated
token flags : login required, rng, token initialized, PIN
initialized, user PIN locked
hardware version : 0.0
firmware version : 0.0
serial num : 00000000
pin min/max : 4/8
```
However...
```
❯ pkcs11-tool --list-objects --type cert
Using slot 0 with a present token (0x0)
```
Sincerely,
--
Harlan Lieberman-Berg
~hlieberman
Simon McVittie
Sep 17, 2023, 8:20:04 AM9/17/23
to
On Fri, 15 Sep 2023 at 16:05:24 +0000, Harlan Lieberman-Berg wrote:
> I've gotten bitten by this one too, I'm afraid, this time in Debian testing.
>
> Potentially interestingly, though I do have a PKCS#11 token inserted,
> it has no certificates on it.
If you run as root
> I've gotten bitten by this one too, I'm afraid, this time in Debian testing.
>
> Potentially interestingly, though I do have a PKCS#11 token inserted,
> it has no certificates on it.
update-alternatives --set gdm-smartcard /etc/pam.d/gdm-smartcard-sssd-or-password
does that restore previous functionality?
If I understand the situation correctly, when gdm detects the presence of
a smartcard, it switches from its default gdm-password PAM profile to
gdm-smartcard, which is an alias for either gdm-smartcard-pkcs11-exclusive,
gdm-smartcard-sssd-exclusive or gdm-smartcard-sssd-or-password.
However, in the two -exclusive profiles, "exclusive" means "password
login is not allowed, only smartcard login can work" - which obviously
isn't right if you don't have smartcard-related PAM modules installed,
or if you haven't configured any {smartcard -> user account} mappings.
If my understanding is correct, then I think
gdm-smartcard-sssd-or-password would be a better default, unless
there are factors here that I'm not seeing. Sysadmins could still set
the alternative to point to gdm-smartcard-sssd-exclusive for a more
locked-down system, but only after ensuring that smartcard-based login
has been configured and actually works!
(Explicitly cc'ing Marco here since he seems to be the expert on gdm's
interactions with PAM, and the one driving the smartcard handling
enhancements that seem to have triggered this regression.)
smcv
Harlan Lieberman-Berg
Sep 17, 2023, 10:10:04 AM9/17/23
to
On Sun, Sep 17, 2023 at 12:13 PM Simon McVittie <sm...@debian.org> wrote:
> If you run as root
>
> update-alternatives --set gdm-smartcard /etc/pam.d/gdm-smartcard-sssd-or-password
>
> does that restore previous functionality?
Sort of! It doesn't fix the changes to the UI (i.e., there is no
> If you run as root
>
> update-alternatives --set gdm-smartcard /etc/pam.d/gdm-smartcard-sssd-or-password
>
> does that restore previous functionality?
longer a list of users to select from; it is a username box where the
"go back" button does nothing), but you can login by putting the
username in by hand. That part is, obviously, the most important one.
Is the issue here one of defaults (e.g., the wrong PAM profile being
set), or one of detection (are smartcards a valid choice at all)?
Potentially unrelated sidenote: setting
`/org/gnome/login-screen/enable-smartcard-authentication` to `false`
has no effect on the ability to login; it still refuses to allow
password auth.
0 new messages