The password input field in GDM is inactive if the key is inserted, how to fix this?

[proninyaroslav]

I have configured my FIDO2 key as sufficient for the GDM login so that I can enter the password or use the key when needed. But when I first log in, the password field is disabled and I have to first touch the key and then enter the GNOME Keyring password again. This is extra work, I would prefer to enter the password immediately to unlock the keyring. When I just lock the screen, GDM allows me to enter a password, when I logout and login again, it disables the password entry field. Oddly enough, if you use GDM fingerprint, it allows you to choose between entering a password or swiping your finger. In the case of pam-u2f, it doesn't allow this.

[LDVG]

I have configured my FIDO2 key as sufficient for the GDM login so that I can enter the password or use the key when needed. But when I first log in, the password field is disabled and I have to first touch the key and then enter the GNOME Keyring password again.

If pam-u2f is listed before any other module, this is what sufficient means. It will preempt any following modules that might want to verify your password. If you want to enter both the password and use pam_u2f.so as a second factor you'll have to use another control value than sufficient (e.g. required).

Oddly enough, if you use GDM fingerprint, it allows you to choose between entering a password or swiping your finger. In the case of pam-u2f, it doesn't allow this.

How is this selection actually performed?

[proninyaroslav]

But required means that you will have to enter both a password and a key. I want either a password or a key. Even if the key is inserted. The fingerprint method has it. It looks like an active password input field, and at the bottom there is a hint to enter the password or touch the fingerprint scanner.

[LDVG]

OK. There is no such support in libpam itself to achieve this (nor is it something we can implement on our side). Looking into this more closely, it seems that GDM is running multiple PAM stacks in parallel to achieve this behavior for the fingerprint reader. As far as I can tell, it's not possible to add an additional custom stack to run in parallel to e.g. gdm-password, but this is more of a question for GDM.