This bug was fixed in the package gdm3 - 43.0-3ubuntu1
---------------
gdm3 (43.0-3ubuntu1) lunar; urgency=medium
[ Simon McVittie ]
* d/tests: Don't reset root password.
Even if the root password is blank, we want to assert that
authentication still doesn't succeed, because we explicitly don't allow
smart card authentication as root.
* d/tests: Explicitly use blank input when checking for blank password.
Otherwise we could block indefinitely when running tests that have an
interactive console available.
[ Marco Trevisan (Treviño) ]
* debian/tests/control: Add explicit dependency on libpam-sss.
Even though it could be an implicit one it's still what we're testing
* debian/tests/sssd-gdm-smartcard-pam-auth-tester.sh: Some minor cleanups
* debian/tests/control,
debian/tests/sssd-gdm-smartcard-pam-auth-tester-env.sh Manually use sudo
as ubuntu autopkgtest does not support needs-sudo yet
* debian/gdm3.install: Do not list config files, just install all gdm3 ones
That's used as is in ubuntu (where we install more data and we use the
upstream `custom.conf` name for config file), so we don't have to diverge.
* Merge with debian, remaining changes:
+ readme.debian: update for correct paths in ubuntu
+ control.in:
- don't recommend desktop-base
- depend on bash for config_error_dialog.patch
- update vcs field
+ rules:
- don't override default user/group
- -dgdm-xsession=true to install upstream xsession script
- override dh_installinit with --no-start to avoid session being killed
+ rules, readme.debian, gdm3.8.pod:
use upstream custom.conf instead of daemon.conf
+ gdm3.{postinst,postrm}: rename user and group back to gdm
+ debian/tests/control:
- Use gdm user name
- Use needs-root instead of needs-sudo (to remove when ubuntu autopkgtest
will be updated to include such feature)
+ debian/tests/sssd-gdm-smartcard-pam-auth-tester-env.sh:
- Added to use needs-root autopkgtest instead of needs-sudo
+ gdm3.*.pam: make pam_env read ~/.pam_environment, as we use in g-c-c
settings
+ gdm3.install:
- don't install debian/xsession
+ add run_xsession.d.patch
+ add xresources_is_a_dir.patch
- fix loading from /etc/x11/xresources/*
+ add nvidia_prime.patch:
- add hook to run prime-offload (as root) and prime-switch if
nvidia-prime is installed
+ add revert_override_lang_with_accountservices.patch:
- on ubuntu accountservices only stores the language and not the
full locale as needed by lang.
+ add dont_set_language_env.patch:
- don't run the set_up_session_language() function, since it
overrides variable values set by ~/.pam_environment
+ add config_error_dialog.patch:
- show warning dialog in case of error in ~/.profile etc. and
don't let a syntax error make the login fail
+ add debian/patches/revert_nvidia_wayland_blacklist.patch:
- don't blacklist nvidia for wayland
+ add gdm3.service-wait-for-drm-device-before-trying-to-start-i.patch:
- wait for the first valid gdm device on pre-start
+ add prefer_ubuntu_session_fallback.patch:
- Prefer ubuntu session as fallback instead of GNOME
+ add XSession-Use-x-terminal-emulator-as-fallback-instead-of-x.patch:
- Use x-terminal-emulator as fallback instead of xterm
+ add Revert-data-Disable-GDM-on-hybrid-graphics-laptops-with-v.patch:
- Don't disable Wayland on hybrid graphics laptops
+ add debian/default.pa
- disable bluetooth audio devices in pulseaudio from gdm3.
+ debian/gdm3.install
- added details of the default.pa file
+ debian/gdm3.postinst
- added installation of default.pa and creation of dir if it doesn't
exist.
+ debian/greeter.dconf-defaults: don't set debian settings in the
greeter's dconf db
gdm3 (43.0-3) unstable; urgency=medium
* Team upload
[ Marco Trevisan (Treviño) ]
* debian/tests/control: Use multi-line Test-Command for easier
maintenance
* debian/tests/sssd-gdm-smartcard-pam-auth-tester.sh:
Assert that entering the wrong PIN leads to authentication failure
[ Patrice Duroux ]
* d/rules: Generate one man page at a time.
Otherwise, the content of one arbitrary .pod file gets duplicated into
each of the man pages. (Closes: #1029839)
[ Simon McVittie ]
* d/tests: Avoid autopkgtest failure if test user has blank password.
If the test user has a blank password (which might be the case in an
expendable test VM) and PAM accepts blank passwords, then
gdm-smartcard-sssd-or-password will always authenticate successfully.
If that's the case, temporarily change the user's password to be
non-empty while running our tests. Also do the same for root.
* Move dbus-daemon security policy from /etc to /usr/share
* d/control.in: Drop unnecessary dependency on lsb-base
* d/control.in: Remove Multi-Arch: same from gir1.2-gdm-1.0.
It is not usefully multi-arch co-installable because it depends on
libgdm1, which contains /usr/bin/gdmflexiserver.
* d/po/sv.po: Transcode from ISO-8859-1 to UTF-8
* Update syntax of Lintian overrides
* Standards-Version: 4.6.2 (no changes required)
gdm3 (43.0-2) unstable; urgency=medium
* debian/gdm3-gdm-smartcard*: Do not fail if pam_succeed_if suceeded.
We were not handling the success case in pam_succeed_if.so, and so even
if other modules were successful, gdm-smartcard was failing with a
permission denied error, because the pam_succeed_if default was bad, and
this was applied to the success case too.
Alternatively we could even just use success=ignore here, but it's
better to be consistent with other usages. (LP: #1999884)
* debian/gdm3.gdm-smartcard-sssd-or-password.pam: Always load gnome keyring
and nologin.
Ensure that we load the nologin and gnome-key-ring modules also if sss
module succeeded.
* debian/tests: Add autopkg tests testing gdm smartcard authentication.
Create fake certificates from fake CA's and verify they can be used with
from a virtual smartcard.
-- Marco Trevisan (Treviño) <ma...@ubuntu.com> Tue, 31 Jan 2023
18:16:20 +0100
** Changed in: gdm3 (Ubuntu)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to gdm3 in Ubuntu.
https://bugs.launchpad.net/bugs/1999884
Title:
gdm-smartcard not passing successful authentication to desktop at
system logon
Status in gdm3 package in Ubuntu:
Fix Released
Status in sssd package in Ubuntu:
Incomplete
Status in gdm3 source package in Jammy:
In Progress
Status in gdm3 source package in Kinetic:
In Progress
Bug description:
[ Impact ]
gdm-smartcard returns a Permission denied when logging in with an user
name:
+ pamtester -v gdm-smartcard ubuntu authenticate
pamtester: invoking pam_start(gdm-smartcard, ubuntu, ...)
pamtester: performing operation - authenticate
PIN for Test Organization Root Tr Token:
pamtester: Permission denied
Using an empty user name works instead.
[ Test case ]
1. Use a smartcard to login in gdm
This can also be simulated via:
# Must be ran as user
sudo apt install pamtester
pamtester -v gdm-smartcard $USER authenticate
Expected output is
+ pamtester -v gdm-smartcard ubuntu authenticate
pamtester: invoking pam_start(gdm-smartcard, ubuntu, ...)
pamtester: performing operation - authenticate
PIN for Test Organization Sub Int Token:
pamtester: successfully authenticated
---
Alternatively, if no smartcard or hardware is available, this can be tested
and simulated using these scripts (they will reset the system setup at each
run, but it's suggested to run them in a VM, lxd container or in a test
installation):
https://gist.github.com/3v1n0/287d02ca8e03936f1c7bba992173d47a
- sudo apt install gdm3 pamtester softhsm2 openssl wget sssd gnutls-bin && \
sudo apt-mark auto gdm3 pamtester softhsm2 openssl wget sssd gnutls-bin
- wget
https://gist.github.com/3v1n0/287d02ca8e03936f1c7bba992173d47a/raw/sssd-gdm-smartcard-pam-auth-tester.sh
- sudo sssd-gdm-smartcard-pam-auth-tester.sh
The script will generate some fake CA authority, issue some
certificates, will install them in some software-based smartcards
(using softhsm2) and test that they work properly to login with gdm-
smartcard.
Using `WAIT` environment variable set (to any value) will make it to
restart gdm at each iteration so that an user can try to access, using
the username that launched the script and the pin of 123456.
[ Regression Potential ]
A root user could access to pam_sss, however it's the responsibility
of such module to block such access.
---
For information I've repeated this entire process on RHEL8 and it
works there, it also was working upon last test on Ubuntu 20.04
Releases: 22.04 LTS and 22.10
Package Version (for reporting purposes): 43.0-1ubuntu1
Background:
System has been configured with sssd, krb5 and pkinit. All of these
packages confirm a successful connection to the Active Directory
Domain Controller. I have a YubiKey which has a CA generated
certificate on it (with all required uses/capabilities including sign)
and this is working fine on other systems.
Expected Behavior:
Insert YubiKey before boot. At the logon window press enter on the
Username field. Select the certificate, enter PIN when prompted.
Authenticate to desktop.
What is happening:
Insert YubiKey before boot. At the logon window press enter on the
Username field. Select the certificate, enter PIN when prompted.
Returns to Username field and does not log in.
Other:
This is a clean install of 22.10 updated to 16 Dec 2022. I also tried
the same thing with 22.04 LTS just in case.
I have enabled level 6 logging on SSSD and can confirm that side of
the entire process is fine. I can also log on with a password and do
a kinit <username> and get a valid kerberos ticket.
With some systematic tests, I managed to pinpoint the login is failing
after gdm-smartcard reports a successful login:
Dec 16 10:25:43 ubu-vm-2022 gdm-smartcard]: gkr-pam: stashed password to try
later in open session
Dec 16 10:26:22 ubu-vm-2022 gdm-smartcard]: pam_sss(gdm-smartcard:auth):
authentication success; logname= uid=0 euid=0 tty=/dev/tty1 ruser= rhost=
user=b...@authenticate.me.uk
I did not have this problem on 20.04.
ProblemType: BugDistroRelease: Ubuntu 22.10
Package: gdm3 43.0-1ubuntu1
ProcVersionSignature: Ubuntu 5.19.0-26.27-generic 5.19.7
Uname: Linux 5.19.0-26-generic x86_64
ApportVersion: 2.23.1-0ubuntu3
Architecture: amd64
CasperMD5CheckResult: pass
CurrentDesktop: ubuntu:GNOME
Date: Fri Dec 16 11:43:25 2022
InstallationDate: Installed on 2022-12-16 (0 days ago)
InstallationMedia: Ubuntu 22.10 "Kinetic Kudu" - Release amd64
(20221020)SourcePackage: gdm3
UpgradeStatus: No upgrade log present (probably fresh install)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gdm3/+bug/1999884/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
