GDM only offers smart card pin option for login if yubikey/smart card is present on service startup
On RHEL 9, GDM only offers smart card pin option for login if yubikey/smart card reader is plugged in on gdm.service startup. Thus, if you don't have either of these PIV options inserted on boot, you will only be able to login with a local account. If you insert the yubikey/smart card reader once the login screen is already up, no amount of waiting will present the pin prompt option. This was not an issue with RHEL 8. If a local account is available with root access, one can plugin the yubikey/smart card reader and do a systemctl restart gdm.service post boot-up with the reader plugged in and the smart card login pin will promptly be available at the gdm login screen.
Attached are the logs (journalctl -u gdm -b) with a yubikey plugged in on boot (Boot_with_yubikey_in) and no reader plugged in on boot (Boot_with_yubikey_out).
We do not have any udev rules in play.
I don't think there is anything that needs to be changed in /etc/pam.d/gdm-password or /etc/pam.d/gdm-smartcard, but here are the configurations of those two files:
cat /etc/pam.d/gdm-password
auth [success=done ignore=ignore default=bad] pam_selinux_permit.so
auth substack password-auth
auth optional pam_gnome_keyring.so
auth include postlogin
auth optional pam_yubico.so debug debug_file=/var/log/pam_yubico.log
account required pam_nologin.so
account include password-auth
password substack password-auth
-password optional pam_gnome_keyring.so use_authtok
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
session required pam_selinux.so open
session optional pam_keyinit.so force revoke
session required pam_namespace.so
session include password-auth
session optional pam_gnome_keyring.so auto_start
session include postlogin
cat /etc/pam.d/gdm-smartcard
auth substack smartcard-auth
auth include postlogin
account required pam_nologin.so
account include smartcard-auth
password include smartcard-auth
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
session required pam_selinux.so open
session optional pam_keyinit.so force revoke
session required pam_namespace.so
session include smartcard-auth
session include postlogin
uname -a Linux GA-49GTDW2 5.14.0-362.18.1.el9_3.x86_64 #1 SMP PREEMPT_DYNAMIC Wed Jan 3 15:54:45 EST 2024 x86_64 x86_64 x86_64 GNU/Linux
Below is a test of what lsusb sees for devices. Test performed:
- restart gdm.service
- 1st run of lsusb. Yubikey and Ominkey Card reader not plugged in.
- Plugin both devices
- run lsusb again. Both devices show up (Device 010 and Device 011)
[root@GA-49GTDW2 /]# systemctl restart gdm.service
[root@GA-49GTDW2 /]# lsusb
Bus 002 Device 002: ID 0bda:0411 Realtek Semiconductor Corp. Hub
Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 001 Device 002: ID 0461:4d51 Primax Electronics, Ltd 0Y357C PMX-MMOCZUL (B) [Dell Laser Mouse]
Bus 001 Device 004: ID 413c:2113 Dell Computer Corp. KB216 Wired Keyboard
Bus 001 Device 003: ID 0bda:5411 Realtek Semiconductor Corp. RTS5411 Hub
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
[root@GA-49GTDW2 /]# lsusb
Bus 002 Device 002: ID 0bda:0411 Realtek Semiconductor Corp. Hub
Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 001 Device 002: ID 0461:4d51 Primax Electronics, Ltd 0Y357C PMX-MMOCZUL (B) [Dell Laser Mouse]
Bus 001 Device 010: ID 1050:0407 Yubico.com Yubikey 4/5 OTP+U2F+CCID
Bus 001 Device 004: ID 413c:2113 Dell Computer Corp. KB216 Wired Keyboard
Bus 001 Device 011: ID 076b:3022 OmniKey AG CardMan 3121 (HID Technologies)
Bus 001 Device 003: ID 0bda:5411 Realtek Semiconductor Corp. RTS5411 Hub
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub