Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nixos/pam: Move pam_fprintd.so after pam_unix.so #171140

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

nixos/pam: Move pam_fprintd.so after pam_unix.so #171140

wants to merge 1 commit into from

Conversation

skeleten
Copy link

@skeleten skeleten commented May 1, 2022

This enables logging into GUI applications using a password even when
using fprintd. However, this now requires first entering an empty
password before being prompted for a fingerprint.

Fixes #171136

Description of changes

This moves the checking of the pam_fprintd module after the pam_unix module. This is required for GUI applications to still be authenticated with a password

Things done
  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 22.05 Release Notes (or backporting 21.11 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
    • (Release notes changes) Ran nixos/doc/manual/md-to-db.sh to update generated release notes
  • Fits CONTRIBUTING.md.

@github-actions github-actions bot added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` labels May 1, 2022
@ofborg ofborg bot added 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 1-10 labels May 1, 2022
@symphorien symphorien mentioned this pull request May 14, 2022
Open
@stale stale bot added the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Oct 30, 2022
@stale stale bot removed 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md labels Dec 22, 2022
miker2049 added a commit to miker2049/nixpkgs that referenced this pull request Jan 31, 2023
@miker2049
Patch pam NixOS#171140
8f212e6
@SebTM
Copy link
Contributor

SebTM commented Apr 24, 2023

I guess this should be an toggle option as it changes the current behavior without giving the possibility to switch back?

@nixos-discourse
Copy link

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/strange-lock-screen-behaviour-with-fprintd-enabled/10248/4

RaitoBezarius
RaitoBezarius requested changes May 5, 2023
View reviewed changes
Copy link
Member

@RaitoBezarius RaitoBezarius left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Address current comments please.

@skeleten skeleten force-pushed the fix-pam-fprintd-order branch from d5bc67f to 32b77a4 Compare May 9, 2023 08:07
@rht
Copy link
Member

rht commented Aug 31, 2023

Bump. The formatting issue has been addressed. Still needs a rebase though.

However, this now requires first entering an empty
password before being prompted for a fingerprint.

I think the current behavior also requires you to press enter, which is equivalent to entering an empty password anyway.

@jtojnar
Copy link
Member

jtojnar commented Aug 31, 2023

I think the current behavior also requires you to press enter

At least in GDM and GNOME Shell polkit agent, you just put your finger on the fingerprint reader after being prompted, and it authenticates you without any further action.

@rht
Copy link
Member

rht commented Aug 31, 2023

Ah, right, I forgot to mention that I'm using i3 & i3lock.

@RaitoBezarius
Copy link
Member

I am on vacations so I cannot touch this yet, I recommend to rebase and look for other reviewers on Discourse.

@skeleten
nixos/pam: Move pam_fprintd.so after pam_unix.so
3284ed1 
This enables logging into GUI applications using a password even when
using `fprintd`. However, this now requires first entering an empty
password before being prompted for a fingerprint.

Fixes NixOS#171136
@skeleten skeleten force-pushed the fix-pam-fprintd-order branch from 32b77a4 to 3284ed1 Compare September 24, 2023 10:40
@nyabinary
Copy link
Contributor

Needs a rebase

jtojnar
jtojnar requested changes Dec 29, 2023
View reviewed changes
Copy link
Member

@jtojnar jtojnar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

However, this now requires first entering an empty
password before being prompted for a fingerprint.

This is a downgrade IMO.

Maybe something like #171136 (comment) would work better.

@dawidd6 dawidd6 mentioned this pull request Jan 20, 2024
Closed
13 tasks
@nyabinary
Copy link
Contributor

However, this now requires first entering an empty
password before being prompted for a fingerprint.

This is a downgrade IMO.

Maybe something like #171136 (comment) would work better.

I mean, no one made a config PR yet sadly...

@jtojnar
Copy link
Member

jtojnar commented Mar 6, 2024
edited
Loading

I mean, no one made a config PR yet sadly...

That does not mean we should merge a broken PR instead.

And someone actually made a PR with what looked like a proper fix but there was still a bug and we lack people familiar with PAM to review it: #282322

Edit: Fixed in #321591

@wegank wegank added the 2.status: merge conflict This PR has merge conflicts with the target branch label Mar 20, 2024
@AkechiShiro
Copy link
Contributor

I think the current behavior also requires you to press enter

At least in GDM and GNOME Shell polkit agent, you just put your finger on the fingerprint reader after being prompted, and it authenticates you without any further action.

This may be related to sddm/sddm#1220 (comment)

@jtojnar jtojnar mentioned this pull request Jun 5, 2024
Open
13 tasks
@wegank wegank added the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Jul 4, 2024
@taciturnaxolotl
Copy link
Contributor

would making an option in the fprint service to have password auth first be a better solution? it would be backwards compatible and still allow people to use the password first method without hacky workarounds

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jtojnar jtojnar jtojnar requested changes

@RaitoBezarius RaitoBezarius RaitoBezarius requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
2.status: merge conflict This PR has merge conflicts with the target branch 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 1-10
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Enabling fprintd prevents authentication with password in graphical applications
10 participants
@skeleten @SebTM @nixos-discourse @rht @jtojnar @RaitoBezarius @nyabinary @AkechiShiro @taciturnaxolotl @wegank