Not sure whether this is the best category for this, so recommendations welcome…
I’ve been successfully using GDM and Gnome with smartcard (Yubikey PIV) based authentication and PKINIT for some time now. I use a system-wide dconf profile and locks to require users to use the Yubikey (enable-smartcard-authentication=true and enable-password-authentication and enable-fingerprint-authentication=false) and require that screen lock is enabled and set for a reasonable timeout. That all works wonderfully.
But in the hybrid work situation that is common these days, users often want to connect to their systems remotely, whether via XRDP, VNC, NX, etc. The initial connections for these methods work fine, as they’re each using their own auth method that doesn’t support (let alone require) a smartcard that obviously can’t easily be presented remotely. But after the specified timeout, Gnome dutifully locks the screen and it can’t be unlocked again because of the aforementioned dconf settings and locks and the inability to plug in the smartcard when not actually in front of the system.
I don’t want to simply turn off the screen lock requirement, as that is necessary for the “I’m sitting in front of the system” scenario, but there appears to be no way to control any of these settings on a per-session basis. I was looking at using pam-script in gdm-smartcard to permit fallback to another auth option for a remote session but, as pam seems to be getting called by gdm-session-worker, tying it back to a specific systemd/logind “session” to determine “local/remote” isn’t exactly trivial.
I’m wondering whether anyone else has tried to tackle this problem before or has any ideas?
Thanks in advance!