design pages: Passwordless-GDM integration #79
+503
−0
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ikerexxe
commented
Jan 17, 2024
ikerexxe
force-pushed
the
passwordless-gdm
branch
12 times, most recently
from
3675076 to
232ed04
Compare
ikerexxe
force-pushed
the
passwordless-gdm
branch
4 times, most recently
from
eaab5be to
a1a1e9d
Compare
ikerexxe
force-pushed
the
passwordless-gdm
branch
from
a1a1e9d to
7806edd
Compare
ikerexxe
force-pushed
the
passwordless-gdm
branch
2 times, most recently
from
cf717a9 to
121084d
Compare
ikerexxe
force-pushed
the
passwordless-gdm
branch
3 times, most recently
from
8a027cb to
80fad61
Compare
ikerexxe
force-pushed
the
passwordless-gdm
branch
2 times, most recently
from
de1c99b to
583338b
Compare
ikerexxe
force-pushed
the
passwordless-gdm
branch
from
583338b to
2d5f0e0
Compare
abbra
reviewed
Jul 9, 2024
ikerexxe
force-pushed
the
passwordless-gdm
branch
from
6a5bf62 to
75f12bb
Compare
Contributor
Author
|
I updated the design with new attributes in the smartcard mechanism. They are necessary since the certificate information isn't available during the AUTH phase and we prefer to avoid running |
ikerexxe
force-pushed
the
passwordless-gdm
branch
from
75f12bb to
a972675
Compare
Contributor
Author
|
Updated design with additional attributes needed for passkey authentication. |
ikerexxe
force-pushed
the
passwordless-gdm
branch
from
dfcf246 to
d54c02c
Compare
pbrezina
reviewed
Mar 11, 2025
ikerexxe
force-pushed
the
passwordless-gdm
branch
2 times, most recently
from
9c36a3c to
c573246
Compare
sumit-bose
reviewed
Mar 18, 2025
ikerexxe
force-pushed
the
passwordless-gdm
branch
from
c573246 to
08d0d1f
Compare
Contributor
Author
|
@pbrezina @sumit-bose I updated the text with the improvements proposed. Take another look to make sure everything is correct. |
Contributor
Hi, thanks for the updates, the "krb5_child" section is looking good, ACK. bye, |
ikerexxe
force-pushed
the
passwordless-gdm
branch
from
08d0d1f to
97429fe
Compare
Contributor
Author
|
As discussed with Joan I'm updating the design with the following changes:
|
joantolo
reviewed
Sep 18, 2025
ikerexxe
force-pushed
the
passwordless-gdm
branch
from
97429fe to
c4f0617
Compare
joantolo
reviewed
Sep 22, 2025
ikerexxe
force-pushed
the
passwordless-gdm
branch
from
c4f0617 to
c3db9f0
Compare
joantolo
reviewed
Sep 22, 2025
ikerexxe
force-pushed
the
passwordless-gdm
branch
from
c3db9f0 to
4ead993
Compare
Passwordless authentication from the GUI. Signed-off-by: Iker Pedrosa <[email protected]>
ikerexxe
force-pushed
the
passwordless-gdm
branch
from
4ead993 to
5182f66
Compare
ikerexxe
added a commit
to ikerexxe/sssd
that referenced
this pull request
Nov 24, 2025
Add a note to clarify that 2FA isn't supported in JSON protocol and fix
man page compilation for `pam_json_services` option.
:feature: Unified passwordless login in the GUI. SSSD now supports a
rich authentication selection interface. Users can login with
smartcards, passkey, External IdPs and passwords directly
within the graphical user interface.
:packaging: SSSD now supports authentication mechanism selection through
PAM using a JSON-based protocol. This feature enables
passwordless authentication mechanisms in GUI login
environments that support the protocol.
Feature will be supported by GNOME Display Manager (GDM)
starting with GNOME 50. While currently optimized for GNOME,
the JSON protocol design allows for future support in other
display managers.
authselect is the recommended approach and will handle the
necessary PAM stack modifications automatically starting
with version 1.7 through the new option `with-switch-auth`
which provides a new PAM service called `switchable-auth`.
Manual PAM configuration is also possible.
For more technical details and implementation specifications,
see the design documentation:
SSSD/sssd.io#79
Signed-off-by: Iker Pedrosa <[email protected]>
ikerexxe
added a commit
to ikerexxe/sssd
that referenced
this pull request
Nov 27, 2025
Add a note to clarify that 2FA isn't supported in JSON protocol and fix
man page compilation for `pam_json_services` option.
:feature: Unified passwordless login in the GUI. SSSD now supports a
rich authentication selection interface. Users can login with
smartcards, passkey, External IdPs and passwords directly
within the graphical user interface.
:packaging: SSSD now supports authentication mechanism selection through
PAM using a JSON-based protocol. This feature enables
passwordless authentication mechanisms in GUI login
environments that support the protocol.
Feature will be supported by GNOME Display Manager (GDM)
starting with GNOME 50. While currently optimized for GNOME,
the JSON protocol design allows for future support in other
display managers.
authselect is the recommended approach and will handle the
necessary PAM stack modifications automatically starting
with version 1.7 through the new option `with-switch-auth`
which provides a new PAM service called `switchable-auth`.
Manual PAM configuration is also possible.
For more technical details and implementation specifications,
see the design documentation:
SSSD/sssd.io#79
Signed-off-by: Iker Pedrosa <[email protected]>
ikerexxe
added a commit
to ikerexxe/sssd
that referenced
this pull request
Dec 1, 2025
Add a note to clarify that 2FA isn't supported in JSON protocol and fix
man page compilation for `pam_json_services` option.
:feature: Unified passwordless login in the GUI. SSSD now supports a
rich authentication selection interface. Users can login with
smartcards, passkey, External IdPs and passwords directly
within the graphical user interface.
:packaging: SSSD now supports authentication mechanism selection through
PAM using a JSON-based protocol. This feature enables
passwordless authentication mechanisms in GUI login
environments that support the protocol.
Feature will be supported by GNOME Display Manager (GDM)
starting with GNOME 50. While currently optimized for GNOME,
the JSON protocol design allows for future support in other
display managers.
authselect is the recommended approach and will handle the
necessary PAM stack modifications automatically starting
with version 1.7 through the new option `with-switch-auth`
which provides a new PAM service called `switchable-auth`.
Manual PAM configuration is also possible.
For more technical details and implementation specifications,
see the design documentation:
SSSD/sssd.io#79
Signed-off-by: Iker Pedrosa <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Passwordless authentication from the GUI.