Created attachment 79561 [details] Return PAM_UNKNOWN_USER when user has not enrolled any fingerprint The attached simple patch makes pam_fprintd return PAM_UNKNOWN_USER when the user has not enrolled a fingerprint. This lets the administrator set up pam_fprintd as a required authentication, method, but only for users that have enrolled a fingerprint, as such: auth [success=ok user_unknown=ignore default=die] pam_fprintd.so max_tries=1 timeout=-1 auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass auth requisite pam_deny.so With this config, users w/o an enrolled fingerprint will just be asked for a password. Users with an enrolled fingerprint will required to login using both their fingerprint and a password. The current behavior, where fingerprint login is an alternative to the password login, is still possible with the new behavior, using the normal config auth [success=2 default=ignore] pam_fprintd.so max_tries=1 timeout=-1 auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass auth requisite pam_deny.so The administrator still has to distinguish between local login methods (such as login, gdm, lightdm, etc) and remote methods (e.g. ssh) in his configuration.
Hi, Thanks for the interest in fprintd. In general, when generating patches please use git-format-patch -1 or git-bz. This way authorship information is already correct and the commit message is staged and ready to go. The patch looks reasonable to me. It shouldn't break existing configurations, but makes the pam module more flexible. I've repurposed part of your comment 0 for the commit message with small changes. Your pam configuration has: try_first_pass on the pam_unix lines. This isn't really right, since pam_fprintd will never set PAM_AUTHTOK.
Created attachment 80224 [details] [review] pam: return PAM_UNKNOWN_USER when user is unenrolled This commit makes pam_fprintd return PAM_UNKNOWN_USER when the user has not enrolled a fingerprint. This lets the administrator set up pam_fprintd as a required authentication, method, but only for users that have enrolled a fingerprint, as such: auth [success=ok user_unknown=ignore default=die] pam_fprintd.so max_tries=1 timeout=-1 auth [success=1 default=ignore] pam_unix.so nullok_secure auth requisite pam_deny.so With this config, users w/o an enrolled fingerprint will just be asked for a password. Users with an enrolled fingerprint will required to login using both their fingerprint and a password. https://bugs.freedesktop.org/show_bug.cgi?id=64781
attachment 80224 [details] [review] pushed as http://cgit.freedesktop.org/libfprint/fprintd/commit/?id=b4f53045659d09499ac082f93c741cb196f5a5c1 Thanks again.
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.