Ubuntu
gdm3 package

Login screen doesn't offer authentication using Yubikey after upgrade 23.10 => 24.04

Bug #2061235 reported by Jaromir Obr
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
gdm3 (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

I own YubiKey 5 Nano.

In Ubuntu 23.10 I had configured a login to Gnome using YubiKey so that when I started OS with YubiKey inserted, clicked on my username in login screen, I was offered to touch YubiKey and when I did it, then a login succeeded ✓.

But when I upgraded to Ubuntu 24.04 beta, in login screen I'm prompted by entering of password only and no "touch" method is offered anymore 🐛.

Note that YubiKey auth works well e.g. for "sudo":
---
$ sudo apt update
Please touch the device.
...

This is my GDM policy configuration

/etc/pam.d/gdm-password
-----------------------
#%PAM-1.0
auth requisite pam_nologin.so
auth required pam_succeed_if.so user != root quiet_success
@include common-u2f
@include common-auth
auth optional pam_gnome_keyring.so
@include common-account
# SELinux needs to be the first session rule. This ensures that any
# lingering context has been cleared. Without this it is possible
# that a module could execute code in the wrong domain.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
session required pam_loginuid.so
# SELinux needs to intervene at login time to ensure that the process
# starts in the proper default security context. Only sessions which are
# intended to run in the user's context should be run after this.
# pam_selinux.so changes the SELinux context of the used TTY and configures
# SELinux in order to transition to the user context with the next execve()
# call.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
session optional pam_keyinit.so force revoke
session required pam_limits.so
session required pam_env.so readenv=1
session required pam_env.so readenv=1 user_readenv=1 envfile=/etc/default/locale
@include common-session
session optional pam_gnome_keyring.so auto_start
@include common-password

/etc/pam.d/common-u2f
---------------------
auth sufficient pam_u2f.so authfile=/etc/u2f_mappings cue

Used SW and HW:
---------------
* HW: laptop Yoga Slim 7 14ARE05
* SW:
  * Ubuntu 24.04
  * kernel 6.8.0-22-generic
  * gdm3 46.0-2ubuntu1, I'm using default Wayland session
  * libpam-yubico 2.26-1.1build2

See original description
Tags: noble
Jaromir Obr (jaromir-obr)
description: updated
Daniel van Vugt (vanvugt)
tags: added: noble
Revision history for this message
Jaromir Obr (jaromir-obr) wrote :

I've just updated OS and the bug has gone. Now I can see the message "Please touch the device" in login screen as expected when I click on my name there.

Feel free to close the bug.

SW:
* kernel: 6.8.0-31-generic
* libpam-yubico: 2.26-1.1build2

Revision history for this message
Sebastien Bacher (seb128) wrote :

thanks for the update, closing

Changed in gdm3 (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.