pop-os
Fingerprint login issue
When logging in using a fingerprint, there is currently a confirm button that needs to be pressed after the fingerprint has been read. Ideally, I would prefer to log in directly without having to press the confirm button once the fingerprint is read.
I don't see anything in the code that will unlock with a fingerprint. As far as I know it only uses login PAM. I think you may be using a hack that allows the login PAM to also accept fingerprint. Did you make any modifications to your PAM?
From my understanding cosmic-greeter uses PAM, I enabled Fingerprint authentication PAM profile.
The issue I'm having is that when logging in for the first time you must press confirm, I'm unsure how I could take a screenshot of this.
I enabled Fingerprint authentication PAM profile
What distro are you using and what is the contents of your /etc/pam.d/login?
cosmic-greeter uses PAM
PAM was not made to support either password or fingerprint in a single PAM module. You can use PAM to unlock with either fingerprint or password, but using two PAMs at the same time, not one PAM.
Does your fingerprint login work as expected for other DEs? Are you using https://gitlab.com/mishakmak/pam-fprint-grosshack?
Fingerprint works fine when I used GNOME, I just ran sudo pam-auth-update and added Fingerprint authentication.
I am using Pop_OS! 22.04
This is my /etc/pam.d/login
#
# The PAM configuration file for the Shadow `login' service
#
# Enforce a minimal delay in case of failure (in microseconds).
# (Replaces the `FAIL_DELAY' setting from login.defs)
# Note that other modules may require another minimal delay. (for example,
# to disable any delay, you should add the nodelay option to pam_unix)
auth optional pam_faildelay.so delay=3000000
# Outputs an issue file prior to each login prompt (Replaces the
# ISSUE_FILE option from login.defs). Uncomment for use
# auth required pam_issue.so issue=/etc/issue
# Disallows other than root logins when /etc/nologin exists
# (Replaces the `NOLOGINS_FILE' option from login.defs)
auth requisite pam_nologin.so
# SELinux needs to be the first session rule. This ensures that any
# lingering context has been cleared. Without this it is possible
# that a module could execute code in the wrong domain.
# When the module is present, "required" would be sufficient (When SELinux
# is disabled, this returns success.)
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
# Sets the loginuid process attribute
session required pam_loginuid.so
# Prints the message of the day upon successful login.
# (Replaces the `MOTD_FILE' option in login.defs)
# This includes a dynamically generated part from /run/motd.dynamic
# and a static (admin-editable) part from /etc/motd.
session optional pam_motd.so motd=/run/motd.dynamic
session optional pam_motd.so noupdate
# SELinux needs to intervene at login time to ensure that the process
# starts in the proper default security context. Only sessions which are
# intended to run in the user's context should be run after this.
# pam_selinux.so changes the SELinux context of the used TTY and configures
# SELinux in order to transition to the user context with the next execve()
# call.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
# When the module is present, "required" would be sufficient (When SELinux
# is disabled, this returns success.)
# This module parses environment configuration file(s)
# and also allows you to use an extended config
# file /etc/security/pam_env.conf.
#
# parsing /etc/environment needs "readenv=1"
session required pam_env.so readenv=1
# locale variables are also kept into /etc/default/locale in etch
# reading this file *in addition to /etc/environment* does not hurt
session required pam_env.so readenv=1 envfile=/etc/default/locale
# Standard Un*x authentication.
@include common-auth
# This allows certain extra groups to be granted to a user
# based on things like time of day, tty, service, and user.
# Please edit /etc/security/group.conf to fit your needs
# (Replaces the `CONSOLE_GROUPS' option in login.defs)
auth optional pam_group.so
# Uncomment and edit /etc/security/time.conf if you need to set
# time restraint on logins.
# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
# as well as /etc/porttime)
# account requisite pam_time.so
# Uncomment and edit /etc/security/access.conf if you need to
# set access limits.
# (Replaces /etc/login.access file)
# account required pam_access.so
# Sets up user limits according to /etc/security/limits.conf
# (Replaces the use of /etc/limits in old login)
session required pam_limits.so
# Prints the last login info upon successful login
# (Replaces the `LASTLOG_ENAB' option from login.defs)
session optional pam_lastlog.so
# Prints the status of the user's mailbox upon successful login
# (Replaces the `MAIL_CHECK_ENAB' option from login.defs).
#
# This also defines the MAIL environment variable
# However, userdel also needs MAIL_DIR and MAIL_FILE variables
# in /etc/login.defs to make sure that removing a user
# also removes the user's mail spool file.
# See comments in /etc/login.defs
session optional pam_mail.so standard
# Create a new session keyring.
session optional pam_keyinit.so force revoke
# Standard Un*x account and session
@include common-account
@include common-session
@include common-password
That's weird, your /etc/pam.d/login file doesn't mension fprintd anywhere. Is it part of one of the @included files? I'm pretty sure GNOME uses /etc/pam.d/gdm-fingerprint for fingerprint login, which cosmic-greeter doesn't use, so I'm wondering how cosmic-greeter even unlocks with a fingerprint for you.
https://manpages.ubuntu.com/manpages/trusty/man8/pam-auth-update.8.html says it changes /etc/pam.d/common-*. Is the fingerprint login configured in one of those files? Also what is the behavior of pamtester login $USER authenticate?
The standard method I've been using is installing fprintd followed by libpam-fprintd, then run pam-auth-update as @tobyrg mentions.
This lets you select the fingerprint as an option.
I've used this method to make it work on gnome as well as plasma.
Here is the photo of the issue, as you can see there is a Confirm button that has to be pressed once the fingerprint has been read.
The way I understand this it is not a fingerprint login issue but more of an improvement idea that placing a finger on the scanner should produce following behavior:
- Fingerprint gets scanned
- Scan is compared to all users all registered fingerprint
- If match is found the system logs you in as the user that the matched fingerprint was registered to.
- No match found should display some error, or prompt, to let the user know it failed.
e. This from fprintd "Known issues:
- pam_fprintd does not support identifying the user itself as that would mean having the fingerprint reader on for all the time the user selection is displayed, and could damage the hardware. It could be fixed by having gdm/login only start the PAM conversation when there is activity
- pam_fprintd doesn't support entering either the password or a fingerprint, as pam_thinkfinger does, because it's a gross hack, and could be fixed by having the login managers run 2 separate PAM stacks"
Also the installer should offer the option when finding a known working scanner hardware to set up fprintd, libpam-fprintd, pam-auth-update && fprintd-enroll, preferably in a GUI.
For me enabling fingerprint auth creates a hectic, unpredictable login screen behavior. When I "lock screen", sometimes the password is asked, sometimes the fingerprint and sometimes both, and sometimes the login screen displays properly and sometimes the UI is distorted and dysfunctional. In the later case, the mouse cursor does not point properly to the inputs on screen, like in the following picture where the cursor is detected as hovering the "show password" icon.while it is visually far off.
Note that I haven't tested "log out" or full system restart as much as simple "lock screen" but I have tested it a couple of times and always got the distorted UI.
Disclosure: I am not familiar with configuring fingerprint scanners on linux (as in "never did it before now") so I might have missed a step...
I did the following:
sudo apt install fprintd libpam-fprintd
lsusb # to verify my scanner was listed
sudo pam-auth-update # to activate fingerprint auth
fprintd-enroll # to record my right index scan
fprintd-verify # to verify it
Tell me if you'd like me to do some tests.
And a personal opinion regarding this:
Also the installer should offer the option when finding a known working scanner hardware to set up fprintd, libpam-fprintd, pam-auth-update && fprintd-enroll, preferably in a GUI.
This would of course be ideal but should not be blocking the first part (better login experience). I suspect most Cosmic users are relatively capable of manually configuring their scanner while improving the Cosmic UI and behavior on the other hand is mostly out of reach for many of us.
I was really struggling with this and finally got it working on Pop 24.04 (Alpha 7)
I did it by having my common-auth file read as follows:
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files, and should contain a list of the authentication modules that define the central
# authentication scheme for use on the system (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. To take advantage of this, it is recommended that you configure any local modules
# either before or after the default block, and use pam-auth-update to manage selection of other modules. See pam-auth-update(8) for details.
#this is the fingerprint reader.
auth sufficient pam_fprintd.so max_tries=3 timeout=10
# here are the per-package modules (the "Primary" block)
auth sufficient pam_unix.so nullok
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth optional pam_cap.so
# end of pam-auth-update config
@counterapparatus does that config let you unlock with typing password or fingerprint reader, or is it sequential?
it first prompts for me to use my fingerprint (and doesn't confirm, just logs me in, though I'm the only user) and then if it fails 3 times, it switches to prompt me for the password.
Ideally, cosmic-greeter should run two PAM sessions in parallel. One for typing the password and one for the fingerprint reader. That way users can login with either option without having to fail 3 times to switch to typing. This is what GNOME and KDE do.