Bug 45575 - Avoid fingerprint authentication in some cases
Summary: Avoid fingerprint authentication in some cases
Alias: None
Product: libfprint
Classification: Unclassified
Component: libfprint (show other bugs)
Version: unspecified
Hardware: All Linux (All)
: medium minor
Assignee: libfprint-bugs
QA Contact:
Depends on:
Reported: 2012-02-02 19:53 UTC by Suren A. Chilingaryan
Modified: 2012-02-03 03:09 UTC (History)
0 users

See Also:
i915 platform:
i915 features:


Description Suren A. Chilingaryan 2012-02-02 19:53:57 UTC
pam_libfprint does not detect remote users working over ssh or NX. If you call, for instance, sudo in such session, you'll be in trouble.

I just created a small patch fixing this issue and providing two more enhancements:
1. Using "check=<script>" parameter, you may specify external application which will be called and upon its exit code, the pam module will proceed with authentication or fail back to password authentication. Just an example of possible use-case: 
For security reasons, the gnome keyring can't be unlocked by fingerprint authorization, the password will be asked upon the login. This forces user to make both finger and password authentication. So, the external application may check if the keyring already unlocked and only in this case allow the fingerprint authentication. 

2. If you have enrolled multiple fingers with fprint_demo, you may hint the pam module which one should be verified using "finger=<finger_num>" parameter.

The patch is here:
Comment 1 Bastien Nocera 2012-02-03 03:09:51 UTC
pam_libfprint is obsolete, and unmaintained. Use the pam_fprintd PAM module that comes with fprintd instead.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.