Re: F34 gdm login prompt goes crazy when a fingerprint reader with no enrolled prints is present

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

On Tue, 2021-03-02 at 15:31 +0100, Hans de Goede wrote:
> On 3/1/21 9:15 PM, Ray Strode wrote:
> 
> [...]
> > > Any debugging options which I can enable somewhere to show the
> > > pam_fprintd error ?
> > you can put "debug" on the ends of the lines that say
> > pam_fprintd.so
> > in /etc/pam.d/fingerprint-auth
> > that should make the journal more chatty.
> 
> Ah, I think now we are getting somewhere. I have a script which I run to
> tweak new / upgraded installs to lower the amount of services which are
> running be default (mostly because of the 1G/2G RAM x86 Windows tablets
> which I try to support as a side project). This script contains the following:
> 
> sudo authselect select minimal
> sudo authselect apply-changes
> 
> Which results in the following /etc/pam.d/fingerprint-auth file:
> 
> [hans@x1 linux]$ sudo cat /etc/pam.d/fingerprint-auth 
> # Generated by authselect on Tue Mar  2 15:24:53 2021
> # Do not modify this file manually.

So, an empty file means that we will hit the /etc/pam.d/other fallback,
which does "auth required pam_deny.so". This means, the GDM stack that
includes it using "substack" will fail with PAM_AUTH_ERR.

This does not seem very helpful. For GDM, it would make more sense to
return an error code that allows us to know that it isn't a normal
authentication failure. If we instead change it so that the file is not
empty, but rather contains:

auth required  pam_debug.so auth=authinfo_unavail

Then everything would work as expected. Plus, we may be able to drop
the requirement to update the GDM configuration in the long term.

Pavel, would it be possible to make this (or a similar) change in
authselect, so that the stack returns a saner error when it is empty?

Benjamin

PS: Thanks to Ray and Marco for the IRC discussions to figure this out
more.

Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux