On Thu, 10 Jul 2025 at 14:12:20 +0100, Simon McVittie wrote:
Workarounds and possible solutions
==================================
enable-smartcard-authentication=false
...
This is the brute-force approach that makes sure password
authentication definitely always works as expected, at the cost of
completely disabling smartcard support.
Use gdm-smartcard-sssd-or-password by default
...
The GNOME team could change gdm3 to swap the alternatives priority of
/etc/pam.d/gdm-smartcard-sssd-exclusive (currently 50) and
/etc/pam.d/gdm-smartcard-sssd-or-password (currently 40) so that the
latter becomes the new default. If we do, the cost is that sysadmins
who want to forbid password authentication will have to adjust the
alternatives to use /etc/pam.d/gdm-smartcard-sssd-exclusive (or
/etc/pam.d/gdm-smartcard-pkcs11-exclusive) instead.
Both of these are implemented in
<https://salsa.debian.org/gnome-team/gdm/-/merge_requests/30>. We should
either choose one of them and revert the other, or do both, or do some
fourth thing that I am not clever enough to think of instead.
Feedback welcome on which one we should prefer, especially from Marco.
smcv
