nixos/gdm: allow logging in via fingerprint #321591
Conversation
github-actions
bot
added
6.topic: nixos
Signed-off-by: John Titor <[email protected]>
JohnRTitor
force-pushed
the
gdm-fingerprint-auth
branch
from
b3e5496 to
9d41fe6
Compare
|
Please have a look as well @LeSuisse, changes are mostly same as amaxine's PR I removed manual addition of |
JohnRTitor
added
the
6.topic: GNOME
ofborg
bot
added
10.rebuild-darwin: 0
JohnRTitor
changed the title
github-actions
bot
removed
the
6.topic: GNOME
Pandapip1
added
the
12.approvals: 1
|
Thanks, I will keep it open for a while for others to provide feedback on it. |
|
Wanted to note that fingerprint login was already possible before, it just didn’t work well (fingerprint would immediately fail, then reactivate and block all password login attempts until it failed again) |
|
I’m using a Framework Laptop 16 and following this patch fingerprint login has become more inconsistent than before. |
|
Could be related to , could you mkForce it to true and tell us the result?Fingerprint support on NixOS needs wider testing. Would love if you could help. |
|
doing it now |
|
doing this prevents me from logging in via password, and also GDM repeatedly shakes the password box and displays an error about fingerprint login not working (but when I touch the finger I can log in) (note I did not reboot) |
|
note: that was the behavior on the lock screen |
|
I will test a fresh login later |
| auth required ${pkgs.fprintd}/lib/security/pam_fprintd.so | ||
| auth optional pam_permit.so | ||
| auth required pam_env.so | ||
| auth [success=ok default=1] ${pkgs.gnome.gdm}/lib/security/pam_gdm.so |
There was a problem hiding this comment.
I am seeing the following in the journal:
gdm-fingerprint][1033624]: PAM bad jump in stack
Probably caused by the default=1, which should skip one auth instruction when pam_gdm gives anything but success, there are no further authinstructions.
There was a problem hiding this comment.
security.pam.services.gdm-fingerprint.enableGnomeKeyring = true; does not appear to do anything for me.
But I am now pretty sure invoking it manually as in b3e5496 would be fine.
If we want to make it conditional, we would need to replace the one after the jump with the pam_permit.so line when disabled.
| auth requisite pam_nologin.so | ||
| auth requisite pam_faillock.so preauth | ||
| auth required ${pkgs.fprintd}/lib/security/pam_fprintd.so | ||
| auth optional pam_permit.so |
There was a problem hiding this comment.
I started looking into pam two weeks ago and according to my current understanding, this line does not do anything.
I do not think that is desirable. Not exactly sure what would happen but at best, I would expect it to lead to the same behaviour as before (user is not prompted for password until fingerprint auth fails). And at worst, two pam modules would ask for the fingerprint at the same time, which sounds like a fun way to get new bugs. |
|
Opened #324347 with a fix, also adding gnome-keyring. |
Description of changes
Lets GDM/GNOME users to login via fingerprint if fprintd service is enabled.
Cherry-picked from #306338. Have not tested but should work fine. Originally borrowed from https://gitlab.gnome.org/GNOME/gdm/-/blob/main/data/pam-arch/gdm-fingerprint.pam
Things done
nix.conf? (See Nix manual)sandbox = relaxedsandbox = truenix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/)Add a 👍 reaction to pull requests you find important.