7

Getting smartcards to work right has been difficult and now it's fubar again. I'm currently trying to figure out, exactly what changed with the upgrade to 21.04. So far I've found this:

Smart Card Authentication Smart cards are used everywhere, from Government offices to small companies. Smart cards add an additional layer of security by authorizing the person’s identity. Ubuntu 21.04 supports smart card authentication via pam_sss.

Info on pam_sss: https://manpages.ubuntu.com/manpages/bionic/man8/pam_sss.8.html

Searching for instances of pam_sss in /etc and commenting them out did nothing to help the situation, gdm still attempts to force smartcard authentication. I normally use pcscd (not for system authentication), but disabling pcscd does nothing to fix the issues. Something else is controlling the card and affecting the logon flow.

Additional details: I've updated alternatives for /etc/pam.d/gdm-smarcard using:

update-alternatives --config gdm-smartcard

Selecting /etc/pam.d/gdm-smartcard-sssd-or-password

I have then edited this file, so that the line:

auth    sufficient    pam_sss.so

no longer contains the requirements for allow_missing_name or try_cert_auth, per the pam_sss.8 manual page. No dice. Auth ignores my changes. If the smartcard reader is connected at login, it attempts to force smartcard authentication. The reader must be completely disconnected, or I am unable to login with normal username/password.

David Shepard
  • 161
  • 5
  • Uninstalling `libpam-sss` and selecting the alternative `/etc/pam.d/gdm-smartcard-sssd-or-password` with `update-alternatives --config gdm-smartcard` allowed me to log in via password again even with a smartcard reader attached. – Fabian Meumertzheim Jun 03 '21 at 21:02
  • I tried the solution provided by Fabian and still unable to login. I have to disconnect my Yubikey to login. – Marcos Alano Jun 27 '21 at 23:11
  • I filed https://bugs.launchpad.net/ubuntu/+source/gdm/+bug/1940809. – Fabian Meumertzheim Aug 23 '21 at 07:46

1 Answers1

3

I've got to work this solution to login with username/password while smartcard is inserted:

  1. Disable smartcard daemon autostart by removing (or just by renaming it to .bkp)

    /etc/xdg/autostart/org.gnome.SettingsDaemon.Smartcard.desktop

  2. Remove

    org.gnome.SettingsDaemon.Smartcard;

    from RequiredComponents lists in next two files (otherwise you'll get error "Oh no! Something has gone wrong" instead or after login screen):

    /usr/share/gnome-session/sessions/gnome-login.session

    /usr/share/gnome-session/sessions/ubuntu.session

P.S. Got again error "Oh no! Something has gone wrong" after upgrade onto 21.10, cause changed files were restored during upgrade.

P.P.S. ubuntu.session says that it "# Must be in sync with gnome-session@ubuntu.target.d/ubuntu.session.conf drop-in". However system works without meddling in that file

EDIT: after recent update Smartcard daemon started somehow. Nonetheless reboot hepled.

UPD: just upgrade to Ubuntu 22.04 - there's no this problem anymore

sudo sed --in-place=.bkp --regexp-extended 's/org.gnome.SettingsDaemon.Smartcard;//' /usr/share/gnome-session/sessions/gnome-login.session
sudo sed --in-place=.bkp --regexp-extended 's/org.gnome.SettingsDaemon.Smartcard;//' /usr/share/gnome-session/sessions/ubuntu.session
sudo f=/etc/xdg/autostart/org.gnome.SettingsDaemon.Smartcard.desktop mv "$f" "$f.bkp"
Leonid
  • 51
  • 6
  • While my solution posted in a comment to the original question no longer works for me on Ubuntu 21.10, this answer does. It also improves the UI by letting me select rather than type the username again. – Fabian Meumertzheim Oct 24 '21 at 12:15