Gdm3 with smartcard asks for login/smartcard pin even if there is no smartcard authentication enabled

Bug #1933027 reported by Dmitry Lapshin
This bug affects 35 people
Affects Status Importance Assigned to Milestone
gdm3 (Ubuntu)
gnome-shell (Ubuntu)

Bug Description

I use my Ubuntu PC with Yubikey almost always plugged in. It provides several security token interfaces, such as U2F, GPG smartcard, proprieritary Yubico interfaces (of which I mostly use TOTP codes), and also PIV smartcard. However, I haven't configured a PIV smartcard on it.

Whenever I login into the system having Yubikey plugged in, I'm prompted for login name, and then for PIN for some smartcard while also being asked to plug in one. This is very misleading on several layers:
1. I have the device providing smartcard plugged id,
2. But it's not the smartcard GDM would think it is as it's not configured properly,
3. There are no local smartcard-authenticating users right now in the system,
3. There are no remote authentication systems configured on the system (so no ActiveDirectory-smartcard logins or such).

If I unplug the token UX goes back on old good track.

Given the circumstances above, I'd consider that GDM (and, on my bet, any PAM configuration it uses) shouldn't offer to login using smartcard if there is no way to actually do so. I feel something is off here, so I'm reporting a bug. It could be an upstream problem though; it also could be an upstream SSSD problem, or all combined.

I believe there is a more clear user experience:
1. GDM should display users that can login into the system, as it always does (if configured). It may also provide entering other login name (also if configured). This is GDM usually does without smartcards altogether.
2. When user is chosen (from the list or manually typed in), check can this user even authenticate with smartcards (i.e. if any of available smartcards is actually recognised for this user). If so, then ask for PIN. Else, don't show anything about smartcards at all (this includes when SSSD is not configured for any AD or related and this user has no local smartcard configuration). This can switch there & back based on device events.
I've seen other OS doing this.

Ubuntu/Gnome session doesn't ask me for PIN for a smartcard on a lock screen, so I guess it doesn't support it at all or correctly finds out it can't be used. Even more, I couldn't find a way to actually add my smartcard as a local login method.

ProblemType: Bug
DistroRelease: Ubuntu 21.04
Package: gdm3
ProcVersionSignature: Ubuntu 5.11.0-18.19-generic 5.11.17
Uname: Linux 5.11.0-18-generic x86_64
NonfreeKernelModules: nvidia_modeset nvidia
ApportVersion: 2.20.11-0ubuntu65.1
Architecture: amd64
CasperMD5CheckResult: unknown
CurrentDesktop: ubuntu:GNOME
Date: Sun Jun 20 14:02:02 2021
InstallationDate: Installed on 2017-03-05 (1567 days ago)
InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1)
 PATH=(custom, no user)
SourcePackage: gdm3
UpgradeStatus: Upgraded to hirsute on 2021-05-13 (37 days ago)

Revision history for this message
Dmitry Lapshin (lapshin-dv) wrote :
Revision history for this message
Daniel van Vugt (vanvugt) wrote :

Assigning to gnome-shell (which implements the login GUI).

Revision history for this message
Dmitry Lapshin (lapshin-dv) wrote :

So... GDM actually just launches special session instance that is actually a login screen? Now it's even more weird that gnome-shell doesn't ask for PIN on lock screen.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in gdm3 (Ubuntu):
status: New → Confirmed
Changed in gnome-shell (Ubuntu):
status: New → Confirmed
Revision history for this message
wastrel (wastrel) wrote :

Yep this got me today.

Unable to login due to YubiKey plugged in to the system. GDM sees the key and wants me to use it to authenticate, it's not set up for that and I had to pull the YubiKey to be able to log in with username & password.

Poking around in /etc/pam.d/ I found there's a few options ror smartcard configuration, and as a workaround just enabled one that allows both password and smartcard auth:

$ sudo update-alternatives --config gdm-smartcard
There are 3 choices for the alternative gdm-smartcard (providing /etc/pam.d/gdm-smartcard).

  Selection Path Priority Status
  0 /etc/pam.d/gdm-smartcard-sssd-exclusive 50 auto mode
  1 /etc/pam.d/gdm-smartcard-pkcs11-exclusive 30 manual mode
  2 /etc/pam.d/gdm-smartcard-sssd-exclusive 50 manual mode
* 3 /etc/pam.d/gdm-smartcard-sssd-or-password 40 manual mode

Press <enter> to keep the current choice[*], or type selection number:

Revision history for this message
Dmitry Lapshin (lapshin-dv) wrote :

wastrel, you're my saviour! I wouldn't discover that there is an option in ages!

I think this should be the default, actually, because as I've stated if sssd is not configured in the system we should use passwords, and if system administrator configures proper smartcard authentication only then should there be an option to forbid passwords.

Actually, it looks even more strange that current option is sssd-exclusive when you can just unplug the key and get a password prompt anyway.

Revision history for this message
Eugene Mirotin (emirotin) wrote :

I'm hit by this issue and for me the suggested workaround doesn't work.

My previous setup:
- had the fingerprint auth enabled
- have the Yubikey attached and **required** for auth (initial login as well as sudo)

Previous behavior since this issue appearance: I wouldn't be able to log in with the key attached, but when not attached I would be able to log in with just a swipe of the finger (so, yubikey auth would be bypassed)

Yesterday I have disabled fingerprints. Now I'm completely unable to login from the graphic login screen:
- if the key is attached, the screen enforces the smartcard auth (I've tried changing the alternative, as suggested above). This doesn't work
- if the key is not attached, I'm able to enter my password. Then the spinner is shown for some time (because the system tries to detect the key) and the error is displayed. If I plugged in the key at this stage (something that helped me before, albeit being inconvenient), the screen would jump again to the smartcrd auth

The only way I can use my machine now is to go to the terminal session, login there (it works fine), then startx from there.

tags: added: jammy
tags: removed: hirsute
Revision history for this message
Graham Beneke (graham-beneke) wrote :

I've just upgraded a machine from focal to jammy and been hit by this issue. The workaround provided by wastrel doesn't seem to resolve the issue.

I'm using a Yubikey 5 Nano - which appears to be the device being identified as a smart card. When removing the Yubikey the auth process runs normally. This presents me with an issue though as my Yubikey is required by the PAM auth on my account.

I have changed the gdm-smartcard preference but the login process still tries to authenticate a smartcard at login and fails.

I've had to remove my Yubikey PAM auth and have to physically remove the Yubikey at each login.

Florin POP (florin-pop)
Changed in gnome-shell (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
Florin POP (florin-pop) wrote (last edit ):

Also hitting this issue after upgrade to Ubuntu 22.04. The proposed workaround doesn't work for me either.

I always have a Yubikey 5 Nano plugged into my device.
The workaround to be able to login is to remove the Yubikey, then I can use the username and password. Very annoying procedure for each login. For the time being I switched from gdm3 to lightdm.

PS: By mistake I changed the status to "Fix Released" and not able to rollback.

Revision history for this message
Rolandas Jasiūnas (rolandasj) wrote :

Encountered same issue today, its super annoying as none of the workarounds work, looking for a fix asap.

Revision history for this message
wastrel (wastrel) wrote :

I finally upgraded to 22.04 and the workaround in my previous message is now also no longer working for me, though it had been in 21.04. Had to remove the YubiKey to log in.

My new workaround is to add an option to the gdm-smartcard alternatives configuration that's just password, no smartcard.

I added the final 2 lines in the file here:

$ cat /var/lib/dpkg/alternatives/gdm-smartcard



Now I choose that option using the same command as my previous workaround:

$ sudo update-alternatives --config gdm-smartcard
There are 4 choices for the alternative gdm-smartcard (providing /etc/pam.d/gdm-smartcard).

  Selection Path Priority Status
  0 /etc/pam.d/gdm-password 60 auto mode
  1 /etc/pam.d/gdm-smartcard-pkcs11-exclusive 30 manual mode
  2 /etc/pam.d/gdm-smartcard-sssd-exclusive 50 manual mode
  3 /etc/pam.d/gdm-smartcard-sssd-or-password 40 manual mode
* 4 /etc/pam.d/gdm-password 60 manual mode

Press <enter> to keep the current choice[*], or type selection number: 4

This is slightly more dangerous than the previous workaround as you may mess up your gdm login completely if you edit the file incorrectly but removing the YubiKey should default you back to just password so you'll be able to fix it.

Revision history for this message
Ari (ari-reads) wrote :

I've been using 22.04 (fresh install) since June and today after a routine update this "bug" popped up. This is in a system that has a yubikey 4 permanently plugged in. It's weird that the bug just popped out of nowhere.

The last workaround from wastrel worked great for me.

Now in addition to this bug, GDM's "face chooser" disappeared, no longer shows up, on boot I get prompted for a username. 22.04 was supposed to be a stable long-term release :/

Revision history for this message
Ari (ari-reads) wrote :

Update: a workaround to recover the "gdm user chooser" is to avoid the smartcard support from launching, which can be done editing this file


comment out the existing "Exec" line, and add a new one pointing to this harmless do-nothing binary, /usr/bin/true

The chooser now works. Still wondering how is it that 22.04 was working with no problem with my yubikey always plugged since June till November

Tom Zhou (zhouqt)
Changed in gnome-shell (Ubuntu):
status: Fix Released → Confirmed
Revision history for this message
Will Saxon (saxonww) wrote :

I ran into this on a work machine today. I'd installed scdaemon, gnupg-pkcs11-scd, opensc-pkcs11, and pcsc-tools. One of these is what triggered the behavior - removing them restored normal login behavior.

Mike Adams (mikethebos)
tags: added: mantic
Revision history for this message
Marco Trevisan (Treviño) (3v1n0) wrote :

By default GDM switches to smartcard mode once one is plugged in, smartcard auth can be disabled at gdm level though, by changing the gsettings.

sudo -u gdm env -u XDG_RUNTIME_DIR -u DISPLAY DCONF_PROFILE=gdm dbus-run-session \
  gsettings set org.gnome.login-screen enable-smartcard-authentication false

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.