On Thu, 10 Jul 2025 at 14:12:20 +0100, Simon McVittie wrote:
Workarounds and possible solutions
==================================
enable-smartcard-authentication=false
...
This is the brute-force approach that makes sure password
authentication definitely always works as expected, at the cost of
completely disabling smartcard support.
Use gdm-smartcard-sssd-or-password by default
...
The GNOME team could change gdm3 to swap the alternatives priority of >/etc/pam.d/gdm-smartcard-sssd-exclusive (currently 50) and >/etc/pam.d/gdm-smartcard-sssd-or-password (currently 40) so that the
latter becomes the new default. If we do, the cost is that sysadmins
who want to forbid password authentication will have to adjust the >alternatives to use /etc/pam.d/gdm-smartcard-sssd-exclusive (or >/etc/pam.d/gdm-smartcard-pkcs11-exclusive) instead.
Both of these are implemented in <
https://salsa.debian.org/gnome-team/gdm/-/merge_requests/30>. We should
either choose one of them and revert the other, or do both, or do some
fourth thing that I am not clever enough to think of instead.
Feedback welcome on which one we should prefer, especially from Marco.
smcv
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)