From 68976aadfb6c311196012439d97094c8244cdc49 Mon Sep 17 00:00:00 2001 From: Joan Torres Lopez Date: Thu, 18 Sep 2025 16:42:37 +0200 Subject: [PATCH 1/3] session: Log JSON request when GDM_DEBUG_JSON_REQUESTS is set This is only useful for debugging and testing. --- daemon/gdm-session.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/daemon/gdm-session.c b/daemon/gdm-session.c index 388b0d037..9affbc438 100644 --- a/daemon/gdm-session.c +++ b/daemon/gdm-session.c @@ -846,8 +846,9 @@ gdm_session_handle_custom_json_request (GdmDBusWorkerManager *worker_manager_in if (conversation != NULL) { set_pending_query (conversation, invocation); - g_debug ("GdmSession: emitting custom JSON request '%s' v%u", - protocol, version); + if (g_getenv ("GDM_DEBUG_JSON_REQUESTS") != NULL) + g_message ("GdmSession: emitting custom JSON request '%s' v%u: %s", + protocol, version, request); gdm_dbus_user_verifier_custom_json_emit_request (custom_json_interface, service_name, protocol, -- 2.51.1 From bb975dec28884e371a5a54ae524315b8b7a7ea13 Mon Sep 17 00:00:00 2001 From: Ray Strode Date: Mon, 22 Jan 2024 09:40:39 -0500 Subject: [PATCH 2/3] data: Add support for unified authentication At the moment, every authentication mechanism gets its own separate PAM conversation. Some PAM modules, like pam_sss, support more than one way to authenticate the user. Rather than starting several conversations, one for each mechanism, this commit adds a new "unified" authentication setting. --- data/meson.build | 1 + data/org.gnome.login-screen.gschema.xml | 30 +++++++++++++++++++++++++ data/pam-redhat/gdm-switchable-auth.pam | 18 +++++++++++++++ 3 files changed, 49 insertions(+) create mode 100644 data/pam-redhat/gdm-switchable-auth.pam diff --git a/data/meson.build b/data/meson.build index e82ce7ac1..2cbbf83e4 100644 --- a/data/meson.build +++ b/data/meson.build @@ -95,6 +95,7 @@ pam_data_files_map = { 'gdm-fingerprint', 'gdm-smartcard', 'gdm-password', + 'gdm-switchable-auth', ], 'openembedded': [ 'gdm-autologin', diff --git a/data/org.gnome.login-screen.gschema.xml b/data/org.gnome.login-screen.gschema.xml index 5a547e9b8..cf6b03820 100644 --- a/data/org.gnome.login-screen.gschema.xml +++ b/data/org.gnome.login-screen.gschema.xml @@ -6,6 +6,36 @@ + + true + + Whether or not to allow switchable authentication for login + + + The login screen can optionally allow a single PAM service to provide + multiple authentication mechanisms via a GDM PAM. + + + + true + + Whether or not to allow authentication via external web site + + + The login screen can optionally allow users to authenticate via + web login. + + + + true + + Whether or not to allow authentication using a passkey + + + The login screen can optionally allow users who have passkeys to log + in using those passkeys. + + true diff --git a/data/pam-redhat/gdm-switchable-auth.pam b/data/pam-redhat/gdm-switchable-auth.pam new file mode 100644 index 000000000..6648c3cec --- /dev/null +++ b/data/pam-redhat/gdm-switchable-auth.pam @@ -0,0 +1,18 @@ +auth substack switchable-auth +auth optional pam_gnome_keyring.so +auth include postlogin + +account required pam_nologin.so +account include switchable-auth + +password substack switchable-auth +-password optional pam_gnome_keyring.so use_authtok + +session required pam_selinux.so close +session required pam_loginuid.so +session required pam_selinux.so open +session optional pam_keyinit.so force revoke +session required pam_namespace.so +session include switchable-auth +session optional pam_gnome_keyring.so auto_start +session include postlogin -- 2.51.1 From c18c8201c4d2af24b7aaf2168a3428fea542c733 Mon Sep 17 00:00:00 2001 From: Joan Torres Lopez Date: Thu, 12 Feb 2026 18:12:01 +0100 Subject: [PATCH 3/3] session: Use g_once for GDM_DEBUG_JSON_REQUESTS environment variable check Part-of: --- daemon/gdm-session.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/daemon/gdm-session.c b/daemon/gdm-session.c index 5f103eddb..5c04ad1be 100644 --- a/daemon/gdm-session.c +++ b/daemon/gdm-session.c @@ -832,7 +832,13 @@ gdm_session_handle_custom_json_request (GdmDBusWorkerManager *worker_manager_in if (conversation != NULL) { set_pending_query (conversation, invocation); - if (g_getenv ("GDM_DEBUG_JSON_REQUESTS") != NULL) + static gsize debug_json_requests; + + if (g_once_init_enter (&debug_json_requests)) + g_once_init_leave (&debug_json_requests, + g_getenv ("GDM_DEBUG_JSON_REQUESTS") != NULL ? 1 : 2); + + if (debug_json_requests == 1) g_message ("GdmSession: emitting custom JSON request '%s' v%u: %s", protocol, version, request); gdm_dbus_user_verifier_custom_json_emit_request (custom_json_interface, -- 2.52.0