gdm/0001-data-Add-support-for-unified-authentication.patch

From 68976aadfb6c311196012439d97094c8244cdc49 Mon Sep 17 00:00:00 2001
From: Joan Torres Lopez <joantolo@redhat.com>
Date: Thu, 18 Sep 2025 16:42:37 +0200
Subject: [PATCH 1/2] session: Log JSON request when GDM_DEBUG_JSON_REQUESTS is
 set

This is only useful for debugging and testing.
---
 daemon/gdm-session.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/daemon/gdm-session.c b/daemon/gdm-session.c
index 388b0d037..9affbc438 100644
--- a/daemon/gdm-session.c
+++ b/daemon/gdm-session.c
@@ -846,8 +846,9 @@ gdm_session_handle_custom_json_request (GdmDBusWorkerManager  *worker_manager_in
         if (conversation != NULL) {
                 set_pending_query (conversation, invocation);
 
-                g_debug ("GdmSession: emitting custom JSON request '%s' v%u",
-                         protocol, version);
+                if (g_getenv ("GDM_DEBUG_JSON_REQUESTS") != NULL)
+                        g_message ("GdmSession: emitting custom JSON request '%s' v%u: %s",
+                                   protocol, version, request);
                 gdm_dbus_user_verifier_custom_json_emit_request (custom_json_interface,
                                                                  service_name,
                                                                  protocol,
-- 
2.51.1


From bb975dec28884e371a5a54ae524315b8b7a7ea13 Mon Sep 17 00:00:00 2001
From: Ray Strode <rstrode@redhat.com>
Date: Mon, 22 Jan 2024 09:40:39 -0500
Subject: [PATCH 2/2] data: Add support for unified authentication

At the moment, every authentication mechanism gets its own
separate PAM conversation.

Some PAM modules, like pam_sss, support more than one way
to authenticate the user.

Rather than starting several conversations, one for each
mechanism, this commit adds a new "unified" authentication
setting.
---
 data/meson.build                        |  1 +
 data/org.gnome.login-screen.gschema.xml | 30 +++++++++++++++++++++++++
 data/pam-redhat/gdm-switchable-auth.pam | 18 +++++++++++++++
 3 files changed, 49 insertions(+)
 create mode 100644 data/pam-redhat/gdm-switchable-auth.pam

diff --git a/data/meson.build b/data/meson.build
index e82ce7ac1..2cbbf83e4 100644
--- a/data/meson.build
+++ b/data/meson.build
@@ -95,6 +95,7 @@ pam_data_files_map = {
     'gdm-fingerprint',
     'gdm-smartcard',
     'gdm-password',
+    'gdm-switchable-auth',
   ],
   'openembedded': [
     'gdm-autologin',
diff --git a/data/org.gnome.login-screen.gschema.xml b/data/org.gnome.login-screen.gschema.xml
index 5a547e9b8..cf6b03820 100644
--- a/data/org.gnome.login-screen.gschema.xml
+++ b/data/org.gnome.login-screen.gschema.xml
@@ -6,6 +6,36 @@
   </enum>
 
   <schema id="org.gnome.login-screen" path="/org/gnome/login-screen/">
+    <key name="enable-switchable-authentication" type="b">
+      <default>true</default>
+      <summary>
+        Whether or not to allow switchable authentication for login
+      </summary>
+      <description>
+        The login screen can optionally allow a single PAM service to provide
+        multiple authentication mechanisms via a GDM PAM.
+      </description>
+    </key>
+    <key name="enable-web-authentication" type="b">
+      <default>true</default>
+      <summary>
+        Whether or not to allow authentication via external web site
+      </summary>
+      <description>
+        The login screen can optionally allow users to authenticate via
+        web login.
+      </description>
+    </key>
+    <key name="enable-passkey-authentication" type="b">
+      <default>true</default>
+      <summary>
+        Whether or not to allow authentication using a passkey
+      </summary>
+      <description>
+        The login screen can optionally allow users who have passkeys to log
+        in using those passkeys.
+      </description>
+    </key>
     <key name="enable-fingerprint-authentication" type="b">
       <default>true</default>
       <summary>
diff --git a/data/pam-redhat/gdm-switchable-auth.pam b/data/pam-redhat/gdm-switchable-auth.pam
new file mode 100644
index 000000000..6648c3cec
--- /dev/null
+++ b/data/pam-redhat/gdm-switchable-auth.pam
@@ -0,0 +1,18 @@
+auth        substack      switchable-auth
+auth        optional      pam_gnome_keyring.so
+auth        include       postlogin
+
+account     required      pam_nologin.so
+account     include       switchable-auth
+
+password    substack       switchable-auth
+-password   optional       pam_gnome_keyring.so use_authtok
+
+session     required      pam_selinux.so close
+session     required      pam_loginuid.so
+session     required      pam_selinux.so open
+session     optional      pam_keyinit.so force revoke
+session     required      pam_namespace.so
+session     include       switchable-auth
+session     optional      pam_gnome_keyring.so auto_start
+session     include       postlogin
-- 
2.51.1