greeter icon indicating copy to clipboard operation
greeter copied to clipboard

Published 20 hours ago verified publisher icon elementary

Allow fingerprint login together with password login

Open vjr opened this issue 3 years ago • 7 comments

Problem

Currently if fingerprint login is enabled via installing the fprintd package and editing the /etc/pam.d/lightdm file to add auth sufficient pam_fprintd.so line then the greeter does not allow you to login by entering your password until the fingerprint module times out.

Proposal

Allow users to login via fingerprint swipe or via entering their password whichever one is correctly attempted first.

Prior Art

Stock ubuntu focal 20.04 gdm login screen lets you login using either fingerprint or entering password - one does not block the other.

vjr avatar Jan 17 '21 20:01 vjr

For me if I type in the password it freezes and the only option that remains is restarting lightdm. This means I lose all the windows and progress.

agrawalsourav98 avatar Feb 02 '22 09:02 agrawalsourav98

Having the same issue on elementary OS 6.1 fully updated. This is indeed an extremely annoying bug.

casasfernando avatar Aug 04 '22 21:08 casasfernando

Revisiting this issue, it seems you need to properly configure your pam modules.

My /etc/pam.d/common-auth looks like this at the top and it appears to be working:

auth	[success=2 default=ignore]	pam_fprintd.so max-tries=1 timeout=10 nullok # debug
auth	[success=1 default=ignore]	pam_unix.so nullok try_first_pass

vjr avatar Aug 05 '23 10:08 vjr

I'm not sure this will solve the behavior mentioned in https://github.com/elementary/greeter/issues/502#issuecomment-1027732726 which I'm also suffering. This is how my /etc/pam.d/common-auth looks like for a long time now, as I'm also using howdy ("face ID"):

#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
auth	[success=3 default=ignore]      pam_python.so /lib/security/howdy/pam.py
auth	[success=2 default=ignore]	pam_fprintd.so max-tries=1 timeout=10 # debug
auth	[success=1 default=ignore]	pam_unix.so nullok try_first_pass
# here's the fallback if no module succeeds
auth	requisite			pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth	required			pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth	optional			pam_cap.so 
# end of pam-auth-update config

And while it generally works, if I type my password while face auth or fingerprint auth is ongoing, the greeter will stop working and I will have to gracefully reboot the system (the shutdown button in the greeter still works) killing my running session. On the other hand if I wait for face auth to timeout and then use fingerprint auth or wait for that also to timeout and then I enter my password, everything works as expected. All in all it seems that while one auth method is ongoing, none of the others can be tried/used or the greeter will break.

PS: this is still the case with elementary OS 7 PS2: @vjr I'm not sure using nullok in the fingerprint auth line makes sense since this is to allow empty/blank passwords according to pam's manual page

casasfernando avatar Aug 05 '23 14:08 casasfernando

Can you try adding "nullok" to your howdy entry too?

Perhaps these changes can be made only to the lightdm auth file and not the common auth so it works only for the greeter and doesn't interfere with console sudo etc?

vjr avatar Aug 05 '23 15:08 vjr

@vjr I tried adding nullok to both lines (howdy and fprintd) but it doesn’t help. If I enter my password before fingerprint auth times out the password field is greyed out but login doesn’t happen and I need to reboot to be able to login again.

casasfernando avatar Aug 06 '23 15:08 casasfernando

@casasfernando btw I tried the latest howdy off the github sources (v3.0.0 beta) and it's been reworked to include a proper PAM module itself ( pam_howdy.so ) which runs the python code and it appears to be working well for me! I have a Logitech BRIO IR-capable cam attached to my desktop PC.

I have noticed the login works only upon initial bootup (greeter startup) and if you log out or lock the screen it does NOT login back again unless you scroll the user cards. I added a temporary second user to my computer to test this.

Seems there's a call to LightDM.Greeter.authenticate () when the switch_to_card () method is called I guess, so if I can figure out a small patch to the greeter to work properly that would be cool.

vjr avatar Aug 07 '23 14:08 vjr