Bug 1398371

Summary: Pam no longer prompts for a fingerprint scan after updating to 25
Product: [Fedora] Fedora Reporter: Sam Varshavchik <mrsam>
Component: fprintdAssignee: Bastien Nocera <bnocera>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 25CC: bnocera, jezekus, mrsam, tmraz, vondruch
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: fprintd-0.7.0-2.fc25 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-02-10 14:23:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
/var/log/messages none

Description Sam Varshavchik 2016-11-24 15:20:09 UTC 
Description of problem:

After updating to Fedora 25, fingerprint authentication stopped working. The X login screen prompts for a password and the fingerprint reader does not get activated. Ditto for virt-manager.

Version-Release number of selected component (if applicable):

pam-1.3.0-1.fc25.x86_64

How reproducible:

Always

Steps to Reproduce:
1. Start with working fingerprint authentication in Fedora 24
2. Update to Fedora 25

Actual results:

Fingerprint authentication no longer works.

Expected results:

Fingerprint authentication working as before.

Additional info:

fprintd-enroll activates the fingerprint scanner, and I can reenroll without any issues. After poking around I see that something gets written to /var/lib/fprint/mrsam/0011/00000000/7, yet pam still does not prompt for authentication when it should be.

The hardware is:

Bus 001 Device 003: ID 147e:2016 Upek Biometric Touchchip/Touchstrip Fingerprint Sensor
Comment 1 Tomas Mraz 2016-11-28 07:47:42 UTC 
Do you use gdm for the X login screen? Is pam_fprintd present on the system?
Comment 2 Bastien Nocera 2016-11-28 09:01:13 UTC 
(In reply to Tomas Mraz from comment #1)
> Do you use gdm for the X login screen? Is pam_fprintd present on the system?

Which is in the fprintd-pam package.
Comment 3 Sam Varshavchik 2016-11-28 12:07:40 UTC 
[mrsam@thinkpad ~]$ rpm -q fprintd-pam
fprintd-pam-0.7.0-1.fc25.x86_64
[mrsam@thinkpad ~]$ rpm -q lightdm
lightdm-1.18.2-1.fc25.x86_64

lightdm with the xfce desktop.

As I mentioned, authenticating to virt-manager also no longer activates the fingerprint reader any more, either.
Comment 4 Tomas Mraz 2016-11-28 12:44:43 UTC 
And do you see pam_fprintd in /etc/pam.d/system-auth? Can you paste it here?
Comment 5 Sam Varshavchik 2016-11-28 12:54:43 UTC 
Created attachment 1225276 [details]
/var/log/messages

As far as I can tell, these are the relevant lines that get logged to syslog.
Comment 6 Sam Varshavchik 2016-11-28 13:00:49 UTC 
No, pam_fprintd is not in /etc/system-auth

# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
Comment 7 Sam Varshavchik 2016-11-28 13:14:32 UTC 
Chasing the /etc/pam.d/system-auth clue, I ran system-config-authentication, and found the "Enable fingerprint" checkbox, which was off. After enabling it, fingerprint authentication started working both in lightdm, and in virt-manager.

This system was updated from Fedora 24 to 25 via fedup.

The fprintd package has:

%postun pam
/sbin/authconfig --disablefingerprint --update

That looks to me like when pam gets updated, during the system upgrade, this disabled the fingerprint module, since a package upgrade is an install followed by an uninstall.

I don't know how long this %postun has been there; but this system had its fingerprint module active, by default, for many Fedora releases.
Comment 8 Tomas Mraz 2016-11-28 14:04:24 UTC 
Yes, the %postun script should be:

if [ "$1" = 0 ] ; then /sbin/authconfig --disablefingerprint --update ; fi
exit 0

And maybe it should be in %preun rather than in %postun.
Comment 9 jezekus 2016-12-13 16:59:58 UTC 
*** Bug 1398959 has been marked as a duplicate of this bug. ***
Comment 10 Fedora Update System 2017-02-09 20:25:09 UTC 
fprintd-0.7.0-2.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-4b67ae702a
Comment 11 Fedora Update System 2017-02-10 00:50:56 UTC 
fprintd-0.7.0-2.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-4b67ae702a
Comment 12 Fedora Update System 2017-02-10 14:23:10 UTC 
fprintd-0.7.0-2.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
Comment 13 Bastien Nocera 2017-02-21 09:49:54 UTC 
*** Bug 1423480 has been marked as a duplicate of this bug. ***