Answering some of the questins, while I'll let Matthew comment on the rest.
b) Yes, in gdm the smartcard is absolutely necessary and there's no fallback. I haven't seen a fallback request in other situations either, but only when running 'sudo'. However, considering the upstream commit, I wouldn't be surprised if there are other corner cases where a user would be able to fallback to password authentication when they shouldn't. c) I can't remember the bug, but there was a problem in the yubikey package in our repository, and I had to use a newer version, which is available in the PPA. I'll try to find what the error was and file a separate bug, but this SSSD issue doesn't have anything to do with the yubikey problem and would happen with any kind of smartcards. d) Yes, that exactly how pam-auth-update in noble leaves the config. I just tried removing the second line with "pam_sss.so use_first_pass" and I can still fallback to password on sudo when I remove the smartcard -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2081129 Title: libpam-sss: require_cert_auth is not absolute, will fall back to password auth on smartcard removal To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/2081129/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
