Bug 64781 - Return PAM_UNKNOWN_USER when user has not enrolled any fingerprint
Summary: Return PAM_UNKNOWN_USER when user has not enrolled any fingerprint
Status: RESOLVED FIXED
Alias: None
Product: libfprint
Classification: Unclassified
Component: fprintd (show other bugs)
Version: unspecified
Hardware: Other All
: medium enhancement
Assignee: libfprint-bugs
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-05-20 05:01 UTC by Rob Johnson
Modified: 2013-06-03 13:00 UTC (History)
1 user (show)

See Also:
i915 platform:
i915 features:


Attachments
Return PAM_UNKNOWN_USER when user has not enrolled any fingerprint (573 bytes, text/plain)
2013-05-20 05:01 UTC, Rob Johnson
Details
pam: return PAM_UNKNOWN_USER when user is unenrolled (3.37 KB, patch)
2013-06-03 12:58 UTC, Ray Strode [halfline]
Details | Splinter Review

Note You need to log in before you can comment on or make changes to this bug.
Description Rob Johnson 2013-05-20 05:01:40 UTC
Created attachment 79561 [details]
Return PAM_UNKNOWN_USER when user has not enrolled any fingerprint

The attached simple patch makes pam_fprintd return PAM_UNKNOWN_USER when the user has not enrolled a fingerprint.

This lets the administrator set up pam_fprintd as a required authentication, method, but only for users that have enrolled a fingerprint, as such:
  auth	[success=ok user_unknown=ignore default=die] pam_fprintd.so max_tries=1 timeout=-1
  auth	[success=1  default=ignore]	             pam_unix.so nullok_secure try_first_pass
  auth	requisite			             pam_deny.so
With this config, users w/o an enrolled fingerprint will just be asked for a password.  Users with an enrolled fingerprint will required to login using both their fingerprint and a password.

The current behavior, where fingerprint login is an alternative to the password login, is still possible with the new behavior, using the normal config
  auth	[success=2  default=ignore] pam_fprintd.so max_tries=1 timeout=-1
  auth	[success=1  default=ignore] pam_unix.so nullok_secure try_first_pass
  auth	requisite		    pam_deny.so

The administrator still has to distinguish between local login methods (such as login, gdm, lightdm, etc) and remote methods (e.g. ssh) in his configuration.
Comment 1 Ray Strode [halfline] 2013-06-03 12:55:10 UTC
Hi,

Thanks for the interest in fprintd.

In general, when generating patches please use

git-format-patch -1 or git-bz.  This way authorship information is already correct and the commit message is staged and ready to go.

The patch looks reasonable to me.  It shouldn't break existing configurations, but makes the pam module more flexible.  I've repurposed part of your comment 0 for the commit message with small changes.

Your pam configuration has:

try_first_pass

on the pam_unix lines.  This isn't really right, since pam_fprintd will never set PAM_AUTHTOK.
Comment 2 Ray Strode [halfline] 2013-06-03 12:58:43 UTC
Created attachment 80224 [details] [review]
pam: return PAM_UNKNOWN_USER when user is unenrolled

This commit makes pam_fprintd return PAM_UNKNOWN_USER when
the user has not enrolled a fingerprint.

This lets the administrator set up pam_fprintd as a required
authentication, method, but only for users that have enrolled a
fingerprint, as such:

auth  [success=ok user_unknown=ignore default=die] pam_fprintd.so max_tries=1 timeout=-1
auth  [success=1  default=ignore]                  pam_unix.so nullok_secure
auth  requisite                                    pam_deny.so

With this config, users w/o an enrolled fingerprint will just be
asked for a password.  Users with an enrolled fingerprint will
required to login using both their fingerprint and a password.

https://bugs.freedesktop.org/show_bug.cgi?id=64781


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.