Bug 45575

Summary: Avoid fingerprint authentication in some cases
Product: libfprint Reporter: Suren A. Chilingaryan <csa>
Component: libfprintAssignee: libfprint-bugs
Status: RESOLVED NOTOURBUG QA Contact:
Severity: minor    
Priority: medium    
Version: unspecified   
Hardware: All   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:

Description Suren A. Chilingaryan 2012-02-02 19:53:57 UTC 
pam_libfprint does not detect remote users working over ssh or NX. If you call, for instance, sudo in such session, you'll be in trouble.

I just created a small patch fixing this issue and providing two more enhancements:
1. Using "check=<script>" parameter, you may specify external application which will be called and upon its exit code, the pam module will proceed with authentication or fail back to password authentication. Just an example of possible use-case: 
For security reasons, the gnome keyring can't be unlocked by fingerprint authorization, the password will be asked upon the login. This forces user to make both finger and password authentication. So, the external application may check if the keyring already unlocked and only in this case allow the fingerprint authentication. 

2. If you have enrolled multiple fingers with fprint_demo, you may hint the pam module which one should be verified using "finger=<finger_num>" parameter.


The patch is here:
http://dside.dyndns.org/projects/patches.dir/pam_fprint-ds.patch
Comment 1 Bastien Nocera 2012-02-03 03:09:51 UTC 
pam_libfprint is obsolete, and unmaintained. Use the pam_fprintd PAM module that comes with fprintd instead.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.