Re: F34 gdm login prompt goes crazy when a fingerprint reader with no enrolled prints is present

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 3/4/21 5:11 PM, Hans de Goede wrote:
Hi,

On 3/4/21 11:50 AM, Pavel Březina wrote:
On 3/3/21 6:11 PM, Hans de Goede wrote:
Hi,

On 3/2/21 5:20 PM, Pavel Březina wrote:
On 3/2/21 4:25 PM, Ray Strode wrote:
Hi,

Ahh, okay.

On Tue, Mar 2, 2021 at 9:31 AM Hans de Goede <hdegoede@xxxxxxxxxx> wrote:
sudo authselect select minimal
sudo authselect apply-changes

Which results in the following /etc/pam.d/fingerprint-auth file:

[hans@x1 linux]$ sudo cat /etc/pam.d/fingerprint-auth
# Generated by authselect on Tue Mar  2 15:24:53 2021
# Do not modify this file manually.

minimal profile does not support fingerprint

So it seems there are 4 profiles:

[hans@x1 ~]$ authselect list
- minimal     Local users only for minimal installations
- nis         Enable NIS for system authentication
- sssd        Enable SSSD for system authentication (also for local users only)
- winbind     Enable winbind for system authentication

What I want is a profile which uses just the good old /etc files to
avoid the overhead of running a local daemon (sssd tends to show up as
one of the top 10 wakeup sources in powertop on an idle system) and I
also don't want a config which tries to go out on the network.

So minimal seems to meet my needs; and although I personally do not
have much of a need for fingerprint auth, I don't really see why we
could not do fingerprint auth with the minimal config. I'm pretty

I'd say the answer is simple - if you go with minimal, you don't need fingerprint. And you wrote it yourself - you don't need fingerprint auth. Just because something can be done, does not mean it is worth to maintain it. More info below.

sure I can manually create a pam-config where this works just fine.

I guess its in the name minimal, where as "local" might be (1) a better

That's the point - it's minimal not local, not without-sssd. The readme explicitly says that it reserved for cases when you really care about disk and memory footprint.

It has very limited functionality by design. If you do not want to use SSSD, you can keep using sssd profile and just disable the service. It will keep working. The minimal profile is there for users that also want to remove sssd packages to safe resources, but in that case you probably don't care about fingerprint and smartcards either.

The problem is that IMHO having sssd enabled by default is really the wrong thing to do for like 95% of our users and defaults should be the settings which are best for most / almost all users.

This is really just a symptom of a much bigger problem though, which is that we simply have way too much services / daemon's starting up by default. The output of "ps aux" after a default Fedora workstation install is just way way too long. Once upon a time Linux users used to make fun of Windows with all its background processes in the mean time a default Fedora WS install has gotten worse then Windows wrt background processes. Any of these are totally unnecessary for most of our users.

We really should be smarter here and the config tools which allows a user to enroll in an authentication domain enable the sssd config when that happens and not have this on by default for everyone.

So what I would really like to see is a local profile which uses just /etc files + fprintd if there are fingerprints enrolled. Smartcards are a different story, because those likely also need significant extra setup.

Where as fingerprints can easily be enrolled from the local UI tools.

name. Note I'm not suggesting to add another profile just for this
but it would be nice if fingerprint auth would at least be a
(default off) feature for the minimal config.

Shall I file a RFE issue for this at:
https://github.com/authselect/authselect/issues/

If you need fingerprint auth then open the ticket please - but no promises here. If you don't need it then just don't open the ticket :-)

Rather then opening a ticket, what I would really like to see is a good discussion about why the sssd profile is the default, because IMHO it is a bad default for most users.

I hear you. From authselect perspective, SSSD was enabled by default through a change page that was accepted by community. Therefore authselect is advertising this profile as the main and only. If you want to run without sssd, you can disable the service but you don't have to switch to other profile.

Whether or not it should be enabled by default is a different discussion. But... The SSSD team does acknowledge that it does not have to be enabled by default for vast majority of Fedora users and we plan to submit a change page that will address this. However, I am not going to dive into details in this thread yet, since they are still developing,



Regards,

Hans
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux