|Summary:||Avoid fingerprint authentication in some cases|
|Product:||libfprint||Reporter:||Suren A. Chilingaryan <csa>|
|Status:||RESOLVED NOTOURBUG||QA Contact:|
|i915 platform:||i915 features:|
Description Suren A. Chilingaryan 2012-02-02 19:53:57 UTC
pam_libfprint does not detect remote users working over ssh or NX. If you call, for instance, sudo in such session, you'll be in trouble. I just created a small patch fixing this issue and providing two more enhancements: 1. Using "check=<script>" parameter, you may specify external application which will be called and upon its exit code, the pam module will proceed with authentication or fail back to password authentication. Just an example of possible use-case: For security reasons, the gnome keyring can't be unlocked by fingerprint authorization, the password will be asked upon the login. This forces user to make both finger and password authentication. So, the external application may check if the keyring already unlocked and only in this case allow the fingerprint authentication. 2. If you have enrolled multiple fingers with fprint_demo, you may hint the pam module which one should be verified using "finger=<finger_num>" parameter. The patch is here: http://dside.dyndns.org/projects/patches.dir/pam_fprint-ds.patch
Comment 1 Bastien Nocera 2012-02-03 03:09:51 UTC
pam_libfprint is obsolete, and unmaintained. Use the pam_fprintd PAM module that comes with fprintd instead.