debcrafters-packages team mailing list archive

Thread
Date
[Bug 1865226] Re: gdm-smartcard pam config needs to be updated for Ubuntu and installed

To: debcrafters-packages@xxxxxxxxxxxxxxxxxxx
From: Sebastien Bacher <1865226@xxxxxxxxxxxxxxxxxx>
Date: Thu, 19 Jun 2025 21:15:35 -0000
Reply-to: Bug 1865226 <1865226@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
** Changed in: gdm3 (Ubuntu Focal)
       Status: In Progress => Won't Fix

** Changed in: gnome-settings-daemon (Ubuntu Focal)
       Status: Incomplete => Won't Fix

** Changed in: sssd (Ubuntu Focal)
       Status: In Progress => Won't Fix

-- 
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to gnome-settings-daemon in
Ubuntu.
https://bugs.launchpad.net/bugs/1865226

Title:
  gdm-smartcard pam config needs to be updated for Ubuntu and installed

Status in GNOME Settings Daemon:
  Fix Released
Status in gdm3 package in Ubuntu:
  Fix Released
Status in gnome-settings-daemon package in Ubuntu:
  Fix Released
Status in sssd package in Ubuntu:
  Fix Released
Status in gdm3 source package in Focal:
  Won't Fix
Status in gnome-settings-daemon source package in Focal:
  Won't Fix
Status in sssd source package in Focal:
  Won't Fix
Status in gdm3 package in Debian:
  Fix Released

Bug description:
  [ Impact ]

  the pam profile for gdm-smartcard is missing. gdm refuses to login
  with a smartcard. Looking at ubuntu/+source/gdm3, other pam files are
  pregenerated into debian/ and installed from there; gdm-smartcard is
  left out.

  [ Test case ]

  1. When in GDM, insert a smartcard
  2. The GDM interface should require for an user
  3. The user should be set (or empty may be provided,
     depending on sssd configuration)
  4. The smartcard PIN should be requested and once introduce the
     user must login.

  Note that this requires configuring sssd before, a simple local
  configuration could require having sssd.conf filled with:

  ```ini
  [sssd]
  enable_files_domain = True
  services = pam

  [certmap/implicit_files/$USER]
  matchrule = <SUBJECT>.*YOUR CARD IDENTIFIER*

  [pam]
  pam_cert_auth = True
  ```

  The UI authentication can also be simulated via pamtester:

  # Must be ran as user
  sudo apt install pamtester
  pamtester -v gdm-smartcard $USER authenticate

  Expected output is
  + pamtester -v gdm-smartcard ubuntu authenticate
  pamtester: invoking pam_start(gdm-smartcard, ubuntu, ...)
  pamtester: performing operation - authenticate
  PIN for Test Organization Sub Int Token:
  pamtester: successfully authenticated

  ---

  Alternatively, if no smartcard or hardware is available, this can be tested and simulated using these scripts (they will reset the system setup at each run, but it's suggested to run them in a VM, lxd container or in a test installation):
   https://gist.github.com/3v1n0/287d02ca8e03936f1c7bba992173d47a

  - sudo apt install gdm3 pamtester softhsm2 openssl wget sssd gnutls-bin && \
    sudo apt-mark auto gdm3 pamtester softhsm2 openssl wget sssd gnutls-bin
  - wget https://gist.github.com/3v1n0/287d02ca8e03936f1c7bba992173d47a/raw/sssd-gdm-smartcard-pam-auth-tester.sh
  - wget https://gist.github.com/3v1n0/287d02ca8e03936f1c7bba992173d47a/raw/sssd-softhism2-certificates-tests.sh
  - sudo bash ./sssd-gdm-smartcard-pam-auth-tester.sh

  The script will generate some fake CA authority, issue some
  certificates, will install them in some software-based smartcards
  (using softhsm2) and test that they work properly to login with gdm-
  smartcard.

  Using `WAIT` environment variable set (to any value) will make it to
  restart gdm at each iteration so that an user can try to access, using
  the username that launched the script and the pin of 123456.

  [ Regression potential ]

  Smartcard authentication using custom methods using via a custom
  configured system nss database may not work anymore.

  ---

  ProblemType: BugDistroRelease: Ubuntu 18.04
  Package: gdm3 3.28.3-0ubuntu18.04.4
  ProcVersionSignature: Ubuntu 5.3.0-24.26~18.04.2-generic 5.3.10
  Uname: Linux 5.3.0-24-generic x86_64
  NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair nvidia_modeset nvidia
  ApportVersion: 2.20.9-0ubuntu7.11
  Architecture: amd64
  CurrentDesktop: ubuntu:GNOME
  Date: Fri Feb 28 14:30:30 2020
  InstallationDate: Installed on 2016-05-23 (1376 days ago)
  InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1)SourcePackage: gdm3
  UpgradeStatus: No upgrade log present (probably fresh install)
  mtime.conffile..etc.gdm3.Xsession: 2018-04-27T11:41:04.766901

To manage notifications about this bug go to:
https://bugs.launchpad.net/gnome-settings-daemon/+bug/1865226/+subscriptions