Ubuntu 22.04LTS forces the use of YubiKey on login without activating it.
We have a machine that uses a YubiKey to decrypt its hard drive on boot. Following the decryption, we would sometimes leave the YubiKey plugged into the machine. After upgrading from Ubuntu 20.04LTS to Ubuntu 22.04LTS, we noticed that the login screen of Ubuntu would not let us log in with the usual username and password. Still, it forced us to use the smartcard, which was never configured. To perform the login, we had to remove the YubiKey from the machine first. The following post uses a solution from the bug page below to mitigate this issue.
https://bugs.launchpad.net/ubuntu/+source/gdm3/+bug/1933027
First, we used the following command to verify the available options:
sudo update-alternatives --config gdm-smartcard;
The results it produced were the following:
$ sudo update-alternatives --config gdm-smartcard There are 3 choices for the alternative gdm-smartcard (providing /etc/pam.d/gdm-smartcard). Selection Path Priority Status ------------------------------------------------------------ * 0 /etc/pam.d/gdm-smartcard-sssd-exclusive 50 auto mode 1 /etc/pam.d/gdm-smartcard-pkcs11-exclusive 30 manual mode 2 /etc/pam.d/gdm-smartcard-sssd-exclusive 50 manual mode 3 /etc/pam.d/gdm-smartcard-sssd-or-password 40 manual mode
As recommended by the comments in the bug report, we edited the file /var/lib/dpkg/alternatives/gdm-smartcard to add a new option and from this:
$ cat /var/lib/dpkg/alternatives/gdm-smartcard auto /etc/pam.d/gdm-smartcard /etc/pam.d/gdm-smartcard-pkcs11-exclusive 30 /etc/pam.d/gdm-smartcard-sssd-exclusive 50 /etc/pam.d/gdm-smartcard-sssd-or-password 40 /etc/pam.d/gdm-password 60
We converted it to this:
$ cat /var/lib/dpkg/alternatives/gdm-smartcard auto /etc/pam.d/gdm-smartcard /etc/pam.d/gdm-smartcard-pkcs11-exclusive 30 /etc/pam.d/gdm-smartcard-sssd-exclusive 50 /etc/pam.d/gdm-smartcard-sssd-or-password 40
The new line would give us the option to log in with a username and password, even though the smartcard was still plugged in.
To use the new line, we executed the following command again:
sudo update-alternatives --config gdm-smartcard;
and we selected the new option, number 4.
$ sudo update-alternatives --config gdm-smartcard There are 4 choices for the alternative gdm-smartcard (providing /etc/pam.d/gdm-smartcard). Selection Path Priority Status ------------------------------------------------------------ 0 /etc/pam.d/gdm-password 60 auto mode 1 /etc/pam.d/gdm-smartcard-pkcs11-exclusive 30 manual mode 2 /etc/pam.d/gdm-smartcard-sssd-exclusive 50 manual mode 3 /etc/pam.d/gdm-smartcard-sssd-or-password 40 manual mode 4 /etc/pam.d/gdm-password 60 manual mode Press <enter> to keep the current choice[*], or type selection number: 4 update-alternatives: using /etc/pam.d/gdm-password to provide /etc/pam.d/gdm-smartcard (gdm-smartcard) in manual mode
On reboot, we were able to log in using the username and password combination, even though the YubiKey was still plugged in.
Notes
A) After performing this change, we had to type in both the username and password.
B) In case you type something wrong the in the file /var/lib/dpkg/alternatives/gdm-smartcard , you will get an error when you try to execute the update command. You will get an error for not keeping an empty line at the end of the file as below:
$ sudo nano /var/lib/dpkg/alternatives/gdm-smartcard $ sudo update-alternatives --config gdm-smartcard update-alternatives: error: /var/lib/dpkg/alternatives/gdm-smartcard corrupt: unexpected end of file while trying to read master file
