https://bugzilla.suse.com/show_bug.cgi?id=1231843 Bug ID: 1231843 Summary: GDM login without auth Classification: openSUSE Product: openSUSE Tumbleweed Version: Slowroll Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: mrueckert@suse.com QA Contact: qa-bugs@suse.de CC: dleuenberger@suse.com Target Milestone: --- Found By: --- Blocker: --- a few weeks ago gdm started to act weird. the login page no longer listed any users. when i tried entering an username and tried to get to a password prompt nothing happened. This weekend i had my yubikey removed for some testing and the GDM looked normal again which brought me to do some testing. But before I tested starting gdm without my yubikey, I entered an username and without doing anything else, it logged me in. o.O which lead me to dig deeper. 1. if a pkcs11 device (like my yubikey) is attached accountsservice ListsCachedUsers only returns users with a pkcs11 key set up for them apparently. This explains why the "recent user list" in gdm was suddenly empty. 2. to make some progress with debugging why gdm no longer works I reinstalled all gnome patterns with recommends enabled. this pulled in pam_pkcs11. This allowed /usr/lib/pam.d/gdm-smartcard to load, before it failed because of the missing module. 3. lets test this: ``` cp /usr/lib/pam.d/gdm-smartcard sudo-i-pam_gdm-reproduce ln -s sudo-i-pam_gdm-reproduce sudo-i sudo -i ERROR:pam_pkcs11.c:313: Failed to initialize crypto root@fortress ~ # ``` yup got right in. ``` rpm -e --nodeps pam_pkcs11 ``` and ``` sudo -i sudo: PAM authentication error: Module is unknown sudo: a password is required ``` commenting out the pam_pkcs11 ``` sudo -i root@fortress ~ # ``` all the potentially affected pam files: ``` grep pam_gdm * gdm-autologin:auth optional pam_gdm.so gdm-fingerprint:auth [success=ok default=1] pam_gdm.so gdm-smartcard:auth [success=ok default=1] pam_gdm.so ``` I am not sure if totally related ... but the shadowing of the i variable here looks broken: https://gitlab.gnome.org/GNOME/gdm/-/commit/f365ba1d55c186e2aa93ecf2c897af24... -- You are receiving this mail because: You are on the CC list for the bug.