Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 8. Enabling authentication mechanism selection in GDM using SSSD

Strengthen organizational security by enabling passwordless GDM authentication for managed users. Replace traditional password-based authentication with external identity providers (EIdP), passkey devices, or smart cards and switch between these methods on the GNOME Display Manager login screen.

Important

Passwordless GDM is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

Passwordless GDM authentication is a technology preview feature that provides several methods for logging in through the GNOME Display Manager (GDM) without a traditional password.

Depending on the system configuration, you can use the following authentication methods:

External identity providers (EIdP)
You can use providers such as Keycloak, Google, Microsoft, or GitHub for a unified login experience.
Passkey devices
You can use passwordless authentication using FIDO2-compatible devices like YubiKey.
Smart cards
You can use physical smart cards.

When the administrator configures multiple authentication methods for users, users can switch between these methods on the GDM login screen.

8.1.1. Current limitations
Copy link

When using these authentication methods, users might encounter the following behaviors:

EIdP priority over passkey
If an administrator configures both an EIdP and a passkey for a user, the IdM server, specifically the KDC, announces only the EIdP. Consequently, the GDM login screen displays only the EIdP option and does not show the passkey.
PIN prompts for passkey devices
GDM always prompts the user for a PIN when using a passkey, even if the passkey does not require one. In these cases, a touch is enough to authenticate. The PIN prompt ensures the user is ready to touch the device before the short authentication window expires. Additionally, the interface does not display the number of remaining PIN attempts.
Passkey availability in non-IdM environments
If the system is not enrolled in an IdM domain, SELinux security policies might prevent the passkey service from starting. In these environments, the passkey authentication method does not function and the option does not appear on the GDM login screen.
Smart card detection
The login option for smart cards only appears in the GDM menu when the user inserts a smart card that contains a valid certificate for their specific account into the reader.

Enable passwordless GDM login to provide flexible authentication for centrally managed users. By using authselect and System Security Services Daemon (SSSD), you can enable passwordless authentication methods such as external identity providers (EIdP), passkey devices, or smart cards. This configuration reduces password reliance and lets users choose their credentials directly at the GNOME Display Manager (GDM) login screen.

Before enabling these options in GDM, you must first configure the individual authentication methods and the Identity Management (IdM) server. After these credentials and server-side settings are functional, you can configure the system services to display these options at the login screen.

Prerequisites

  • The system is a member of an Identity Management (IdM) domain.
  • You have fulfilled the prerequisites for the specific passwordless authentication methods you want to use, such as configuring the IdM server and enrolling user credentials.
  • You have root privileges on the system.
  • Have SSSD installed.

Procedure

  1. (Optional): View the information about your authselect profile: 

    $ authselect current

  2. Depending on your current authselect profile, do one of the following:

    1. Select the sssd profile and enable the switchable authentication feature: 

      # authselect select sssd with-switchable-auth

    2. If you are already using the sssd profile, enable the switchable authentication feature: 

      # authselect enable-feature with-switchable-auth
      Note

      This command configures the /etc/pam.d/switchable-auth PAM service file to enable the GDM login screen to display the corresponding passwordless mechanisms that you have previously configured for the user account.

  3. Configure the SSSD PAM responder to authorize the switchable authentication service. Open the /etc/sssd/sssd.conf file and add the pam_json_services option to the [pam] section: 

    ...
[pam]
pam_json_services = gdm-switchable-auth

  4. Restart the SSSD service: 

    # systemctl restart sssd

Verification

  • As an administrator, verify the /etc/sssd/sssd.conf file to confirm the configuration: 

    $ cat /etc/sssd/sssd.conf

    The output must include the pam_json_services key set to gdm-switchable-auth within the [pam] section.

  • As a user, you can read the /etc/dconf/db/distro.d/20-authselect file to confirm the configuration: 

    $ cat /etc/dconf/db/distro.d/20-authselect

    The [org/gnome/login-screen] section in the output must include the enable-switchable-authentication key set to true.

Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Legal Notice

Theme

© 2026 Red HatBack to top