Red Hat Summit Red Hat SummitSupportKonsoleEntwicklerDemo startenKontakt

Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.

Chapter 8. Enabling authentication mechanism selection in GDM using SSSD

Strengthen organizational security by enabling passwordless GDM authentication for managed users. Replace traditional password-based authentication with external identity providers (EIdP), passkey devices, or smart cards and switch between these methods on the GNOME Display Manager login screen.

Important

Passwordless GDM is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

8.1. Passwordless authentication for centrally managed users in GDM
Link kopieren

Passwordless GDM authentication is a technology preview feature that provides several methods for logging in through the GNOME Display Manager (GDM) without a traditional password.

Depending on the system configuration, you can use the following authentication methods:

External identity providers (EIdP)
You can use providers such as Keycloak, Google, Microsoft, or GitHub for a unified login experience.
Passkey devices
You can use passwordless authentication using FIDO2-compatible devices like YubiKey.
Smart cards
You can use physical smart cards.

When the administrator configures multiple authentication methods for users, users can switch between these methods on the GDM login screen.

8.1.1. Current limitations
Link kopieren

When using these authentication methods, users might encounter the following behaviors:

EIdP priority over passkey
If an administrator configures both an EIdP and a passkey for a user, the IdM server, specifically the KDC, announces only the EIdP. Consequently, the GDM login screen displays only the EIdP option and does not show the passkey.
PIN prompts for passkey devices
GDM always prompts the user for a PIN when using a passkey, even if the passkey does not require one. In these cases, a touch is enough to authenticate. The PIN prompt ensures the user is ready to touch the device before the short authentication window expires. Additionally, the interface does not display the number of remaining PIN attempts.
Passkey availability in non-IdM environments
If the system is not enrolled in an IdM domain, SELinux security policies might prevent the passkey service from starting. In these environments, the passkey authentication method does not function and the option does not appear on the GDM login screen.
Smart card detection
The login option for smart cards only appears in the GDM menu when the user inserts a smart card that contains a valid certificate for their specific account into the reader.

8.2. Enabling authentication mechanism selection in GDM using SSSD
Link kopieren

Enable passwordless GDM login to provide flexible authentication for centrally managed users. By using authselect and System Security Services Daemon (SSSD), you can enable passwordless authentication methods such as external identity providers (EIdP), passkey devices, or smart cards. This configuration reduces password reliance and lets users choose their credentials directly at the GNOME Display Manager (GDM) login screen.

Before enabling these options in GDM, you must first configure the individual authentication methods and the Identity Management (IdM) server. After these credentials and server-side settings are functional, you can configure the system services to display these options at the login screen.

Prerequisites

  • The system is a member of an Identity Management (IdM) domain.
  • You have fulfilled the prerequisites for the specific passwordless authentication methods you want to use, such as configuring the IdM server and enrolling user credentials.
  • You have root privileges on the system.
  • Have SSSD installed.

Procedure

  1. (Optional): View the information about your authselect profile: 

    $ authselect current

  2. Depending on your current authselect profile, do one of the following:

    1. Select the sssd profile and enable the switchable authentication feature: 

      # authselect select sssd with-switchable-auth

    2. If you are already using the sssd profile, enable the switchable authentication feature: 

      # authselect enable-feature with-switchable-auth
      Note

      This command configures the /etc/pam.d/switchable-auth PAM service file to enable the GDM login screen to display the corresponding passwordless mechanisms that you have previously configured for the user account.

  3. Configure the SSSD PAM responder to authorize the switchable authentication service. Open the /etc/sssd/sssd.conf file and add the pam_json_services option to the [pam] section: 

    ...
[pam]
pam_json_services = gdm-switchable-auth

  4. Restart the SSSD service: 

    # systemctl restart sssd

Verification

  • As an administrator, verify the /etc/sssd/sssd.conf file to confirm the configuration: 

    $ cat /etc/sssd/sssd.conf

    The output must include the pam_json_services key set to gdm-switchable-auth within the [pam] section.

  • As a user, you can read the /etc/dconf/db/distro.d/20-authselect file to confirm the configuration: 

    $ cat /etc/dconf/db/distro.d/20-authselect

    The [org/gnome/login-screen] section in the output must include the enable-switchable-authentication key set to true.

Red Hat logoGithubredditYoutubeTwitter

Lernen

Testen, kaufen und verkaufen

Communitys

Über Red Hat

Wir liefern gehärtete Lösungen, die es Unternehmen leichter machen, plattform- und umgebungsübergreifend zu arbeiten, vom zentralen Rechenzentrum bis zum Netzwerkrand.

Mehr Inklusion in Open Source

Red Hat hat sich verpflichtet, problematische Sprache in unserem Code, unserer Dokumentation und unseren Web-Eigenschaften zu ersetzen. Weitere Einzelheiten finden Sie in Red Hat Blog.

Über Red Hat Dokumentation

Wir helfen Red Hat Benutzern, mit unseren Produkten und Diensten innovativ zu sein und ihre Ziele zu erreichen – mit Inhalten, denen sie vertrauen können. Entdecken Sie unsere neuesten Updates.

Legal Notice

Theme

© 2026 Red HatNach oben