packages
packages copied to clipboard
getsolus
Fingerprint unlocking integration for polkit & KDE (T10356)
Currently fingerprint unlocking does not work on KDE or for polkit actions
You can enroll a fingerprint but cannot unlock a session with it after installing fprintd libfprint
To resolve by creating the file /usr/share/defaults/etc/pam.d/fprint with the contents
#%PAM-1.0
auth sufficient pam_unix.so try_first_pass likeauth nullok
auth sufficient pam_fprintd.so
Then in /usr/share/defaults/etc/pam.d/polkit-1 and /usr/share/defaults/etc/pam.d/kde
Paste auth include fprint above of auth include system-auth
This enables screen unlocking in KDE with your fingerprint as well as authorizing polkit actions.
If fprintd and libfprint are uninstalled, actions can still be authorized with a password like normal.
Before I go ahead with this the question is whether the pam stuff looks okay and/or is there any obvious security risk?
Potentially we could abstract even future and have systemd-auth include fprint which should allow all auth actions to be completed with the fingerprint. Whether that is desirable or not is another question for now.
The main annoyance here is you have to press enter before it'll prompt you to use the fingerprint (i'm guessing due to try_first_pass)
! In T10356#197694, #joebonrichie wrote: The main annoyance here is you have to press enter before it'll prompt you to use the fingerprint (i'm guessing due to
try_first_pass)
What happens if you swap the order of the pam_fprintd.so and pam_unix.so lines?
#ReillyBrogan I had the same thought before, and according to the Arch Wiki it's the following problem:
Adding pam_fprintd.so as sufficient to any configuration file in /etc/pam.d/ when a fingerprint signature is present will only prompt for fingerprint authentication. This prevents the use of a password if you cannot Ctrl+c fingerprint authentication (due to the lack of a shell).
Which they follow up with Joey's solution as a way around that.
What let me down this rabbithole is that kde supposedly has support for fingerprint unlocking for kscreensaver but I seemingly had to provide my own pam files for it to work unlike gdm which seems to work by default. Making matters more interesting is that fprintd states that unlocking with either a fingerprint or password (via pam_fprintd.so) is not supported and the pam config above seems to be more of a workaround to that.
https://github.com/freedesktop/libfprint-fprintd/blob/master/pam/README#L24
Looks like this was supposed to have been merged for 5.25 but has stalled for whatever reason. https://invent.kde.org/plasma/kscreenlocker/-/merge_requests/15 Which explains why the string in 'Users' is wrong.
@joebonrichie , is this still an issue? I'm using fingerprints to unlock my Plasma session, but I don't know what the status of polkit is.
