7

Getting smartcards to work right has been difficult and now it's fubar again. I'm currently trying to figure out, exactly what changed with the upgrade to 21.04. So far I've found this:

Smart Card Authentication Smart cards are used everywhere, from Government offices to small companies. Smart cards add an additional layer of security by authorizing the person’s identity. Ubuntu 21.04 supports smart card authentication via pam_sss.

Info on pam_sss: https://manpages.ubuntu.com/manpages/bionic/man8/pam_sss.8.html

Searching for instances of pam_sss in /etc and commenting them out did nothing to help the situation, gdm still attempts to force smartcard authentication. I normally use pcscd (not for system authentication), but disabling pcscd does nothing to fix the issues. Something else is controlling the card and affecting the logon flow.

Additional details: I've updated alternatives for /etc/pam.d/gdm-smarcard using:

update-alternatives --config gdm-smartcard

Selecting /etc/pam.d/gdm-smartcard-sssd-or-password

I have then edited this file, so that the line:

auth    sufficient    pam_sss.so

no longer contains the requirements for allow_missing_name or try_cert_auth, per the pam_sss.8 manual page. No dice. Auth ignores my changes. If the smartcard reader is connected at login, it attempts to force smartcard authentication. The reader must be completely disconnected, or I am unable to login with normal username/password.

David Shepard
  • 171
  • 1
  • 6

2 Answers2

3

I've got to work this solution to login with username/password while smartcard is inserted:

  1. Disable smartcard daemon autostart by removing (or just by renaming it to .bkp)

    /etc/xdg/autostart/org.gnome.SettingsDaemon.Smartcard.desktop

  2. Remove

    org.gnome.SettingsDaemon.Smartcard;

    from RequiredComponents lists in next two files (otherwise you'll get error "Oh no! Something has gone wrong" instead or after login screen):

    /usr/share/gnome-session/sessions/gnome-login.session

    /usr/share/gnome-session/sessions/ubuntu.session

P.S. Got again error "Oh no! Something has gone wrong" after upgrade onto 21.10, cause changed files were restored during upgrade.

P.P.S. ubuntu.session says that it "# Must be in sync with gnome-session@ubuntu.target.d/ubuntu.session.conf drop-in". However system works without meddling in that file

EDIT: after recent update Smartcard daemon started somehow. Nonetheless reboot hepled.

UPD: just upgrade to Ubuntu 22.04 - there's no this problem anymore

sudo sed --in-place=.bkp --regexp-extended 's/org.gnome.SettingsDaemon.Smartcard;//' /usr/share/gnome-session/sessions/gnome-login.session
sudo sed --in-place=.bkp --regexp-extended 's/org.gnome.SettingsDaemon.Smartcard;//' /usr/share/gnome-session/sessions/ubuntu.session
sudo f=/etc/xdg/autostart/org.gnome.SettingsDaemon.Smartcard.desktop mv "$f" "$f.bkp"
Leonid
  • 51
1

Sadly, 24.10 resets the workaround by @Leonid on upgrade, but leaves the .desktop file renamed, causing an "Oh no! Something has gone wrong" error.

3v1n0 on Launchpad posted a better workaround using gsettings, confirmed working on 24.10:

sudo -u gdm env -u XDG_RUNTIME_DIR -u DISPLAY DCONF_PROFILE=gdm dbus-run-session gsettings set org.gnome.login-screen enable-smartcard-authentication false
md657
  • 11