gdm/0001-data-Add-support-for-unified-authentication.patch

From 4c3f937ec0b694819823ea3ffb0aea361b62976b Mon Sep 17 00:00:00 2001
From: Joan Torres Lopez <joantolo@redhat.com>
Date: Thu, 18 Sep 2025 16:42:37 +0200
Subject: [PATCH 1/2] session: Log JSON request when GDM_DEBUG_JSON_REQUESTS is
 set

This is only useful for debugging and testing.
---
 daemon/gdm-session.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/daemon/gdm-session.c b/daemon/gdm-session.c
index 6f53b5dfa..2f820015c 100644
--- a/daemon/gdm-session.c
+++ b/daemon/gdm-session.c
@@ -807,8 +807,9 @@ gdm_session_handle_custom_json_request (GdmDBusWorkerManager  *worker_manager_in
         if (conversation != NULL) {
                 set_pending_query (conversation, invocation);
 
-                g_debug ("GdmSession: emitting custom JSON request '%s' v%u",
-                         protocol, version);
+                if (g_getenv ("GDM_DEBUG_JSON_REQUESTS") != NULL)
+                        g_message ("GdmSession: emitting custom JSON request '%s' v%u: %s",
+                                   protocol, version, request);
                 gdm_dbus_user_verifier_custom_json_emit_request (custom_json_interface,
                                                                  service_name,
                                                                  protocol,
-- 
2.47.3


From a823f0f0fd3262770599d24de7efd0c2462ca61f Mon Sep 17 00:00:00 2001
From: Ray Strode <rstrode@redhat.com>
Date: Mon, 22 Jan 2024 09:40:39 -0500
Subject: [PATCH 2/2] data: Add support for unified authentication

At the moment, every authentication mechanism gets its own
separate PAM conversation.

Some PAM modules, like pam_sss, support more than one way
to authenticate the user.

Rather than starting several conversations, one for each
mechanism, this commit adds a new "unified" authentication
setting.
---
 data/meson.build                        |  1 +
 data/org.gnome.login-screen.gschema.xml | 30 +++++++++++++++++++++++++
 data/pam-redhat/gdm-switchable-auth.pam | 18 +++++++++++++++
 3 files changed, 49 insertions(+)
 create mode 100644 data/pam-redhat/gdm-switchable-auth.pam

diff --git a/data/meson.build b/data/meson.build
index 20d39a366..8d39d7506 100644
--- a/data/meson.build
+++ b/data/meson.build
@@ -105,6 +105,7 @@ pam_data_files_map = {
     'gdm-smartcard',
     'gdm-password',
     'gdm-pin',
+    'gdm-switchable-auth',
   ],
   'openembedded': [
     'gdm-autologin',
diff --git a/data/org.gnome.login-screen.gschema.xml b/data/org.gnome.login-screen.gschema.xml
index 7b5c54d1b..02dd4d0e4 100644
--- a/data/org.gnome.login-screen.gschema.xml
+++ b/data/org.gnome.login-screen.gschema.xml
@@ -1,6 +1,36 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <schemalist gettext-domain="gdm">
   <schema id="org.gnome.login-screen" path="/org/gnome/login-screen/">
+    <key name="enable-switchable-authentication" type="b">
+      <default>true</default>
+      <summary>
+        Whether or not to allow switchable authentication for login
+      </summary>
+      <description>
+        The login screen can optionally allow a single PAM service to provide
+        multiple authentication mechanisms via a GDM PAM.
+      </description>
+    </key>
+    <key name="enable-web-authentication" type="b">
+      <default>true</default>
+      <summary>
+        Whether or not to allow authentication via external web site
+      </summary>
+      <description>
+        The login screen can optionally allow users to authenticate via
+        web login.
+      </description>
+    </key>
+    <key name="enable-passkey-authentication" type="b">
+      <default>true</default>
+      <summary>
+        Whether or not to allow authentication using a passkey
+      </summary>
+      <description>
+        The login screen can optionally allow users who have passkeys to log
+        in using those passkeys.
+      </description>
+    </key>
     <key name="enable-fingerprint-authentication" type="b">
       <default>true</default>
       <summary>
diff --git a/data/pam-redhat/gdm-switchable-auth.pam b/data/pam-redhat/gdm-switchable-auth.pam
new file mode 100644
index 000000000..6648c3cec
--- /dev/null
+++ b/data/pam-redhat/gdm-switchable-auth.pam
@@ -0,0 +1,18 @@
+auth        substack      switchable-auth
+auth        optional      pam_gnome_keyring.so
+auth        include       postlogin
+
+account     required      pam_nologin.so
+account     include       switchable-auth
+
+password    substack       switchable-auth
+-password   optional       pam_gnome_keyring.so use_authtok
+
+session     required      pam_selinux.so close
+session     required      pam_loginuid.so
+session     required      pam_selinux.so open
+session     optional      pam_keyinit.so force revoke
+session     required      pam_namespace.so
+session     include       switchable-auth
+session     optional      pam_gnome_keyring.so auto_start
+session     include       postlogin
-- 
2.47.3