Bug 2182015 - Clarify `/etc/pam.d/sddm` choices
Summary: Clarify `/etc/pam.d/sddm` choices
Keywords:
Status: NEW
Alias: None
Product: Fedora
Classification: Fedora
Component: sddm
Version: 39
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Neal Gompa
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-03-27 09:34 UTC by Cristian Le
Modified: 2023-08-16 07:12 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: ---
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Cristian Le 2023-03-27 09:34:56 UTC 
Primarily, I want to raise the question about the line:
```
auth        substack      password-auth
```

Why do we use `substack` instead of `include` here? I have encountered an issue with `pam-u2f`/`pam-fprintd` configured as `sufficient` (haven't thoroughly tested `required`), where when I try to login, it simply hangs. This issue does not occur when I change from `substack` to `include`. Is anyone able to replicate or explain the choice of `substack`?

And another issue prompted by `authselect` in this issue[1] is, why are we using `password-auth`? They have suggested that we should be using `system-auth` instead, because the former is specific for password-like authenthication and stuff like login via fingerprint or yubikeys should be in the more general system-auth. There is an issue of course with gnome-keyring missing a password, which I have raised in the issue, but this seems to be more of a design issue all-around with secret-service/gnome-keyring/pam and passwordless authenthicators.
Comment 1 Fedora Release Engineering 2023-08-16 07:12:34 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora Linux 39 development cycle.
Changing version to 39.
Note You need to log in before you can comment on or make changes to this bug.