Bug 1943406

Summary: authselect generates bad pam config for fingerprint-auth
Product: [Fedora] Fedora Reporter: Connor Lim <dev>
Component: authselectAssignee: Pavel Březina <pbrezina>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 34CC: bberg, jhrozek, pbrezina
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: authselect-1.2.3-1.fc34 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-04-05 00:17:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Connor Lim 2021-03-26 02:01:32 UTC 
Description of problem:
After upgrading from F33 to F34, fingerprint login in GNOME stopped working for me, both on the lock screen and in GDM. It constantly fails with an error after successfully recognizing my fingerprint. However fingerprint authentication still works with sudo and pop-up administrator prompts in GNOME.

After some digging, I found it to be caused by an incorrect config in /etc/pam.d/fingerprint-auth which is generated by authselect. Changing the line "auth required pam_fprintd.so" to "auth sufficient pam_fprintd.so" fixed the fingerprint login issue. 

This was not an issue in F33, as shown in the F33 config I pasted at the bottom.

Version-Release number of selected component (if applicable):
authselect-1.2.2-6.fc34.x86_64
pam-1.5.1-3.fc34.x86_64

How reproducible:
Every time on my setup

Steps to Reproduce:
1. Regenerate authselect config for fingerprint auth:
sudo authselect select --force sssd
sudo authselect enable-feature with-fingerprint
2. Check /etc/pam.d/fingerprint-auth for the line "auth required pam_fprintd.so"
3. Lock the screen and attempt to unlock with fingerprint
4. Fingerprint authentication will fail
5. Replace "auth required pam_fprintd.so" with "auth sufficient pam_fprintd.so" in /etc/pam.d/fingerprint-auth
6. Fingerprint authentication will succeed

Actual results:
Fingerprint login fails

Expected results:
Fingerprint login succeeds

Additional info:

/etc/pam.d/fingerprint-auth on Fedora 34:

# Generated by authselect on Fri Mar 26 09:41:24 2021
# Do not modify this file manually.

auth        required                                     pam_env.so
auth        required                                     pam_fprintd.so
auth        required                                     pam_deny.so

account     required                                     pam_unix.so
account     sufficient                                   pam_localuser.so
account     sufficient                                   pam_usertype.so issystem
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required                                     pam_permit.so

password    required                                     pam_deny.so

session     optional                                     pam_keyinit.so revoke
session     required                                     pam_limits.so
-session    optional                                     pam_systemd.so
session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
session     required                                     pam_unix.so
session     optional                                     pam_sss.so



/etc/pam.d/fingerprint-auth on Fedora 33:

# Generated by authselect on Mon Mar  8 20:00:25 2021
# Do not modify this file manually.

auth        required                                     pam_env.so
auth        sufficient                                   pam_fprintd.so
auth        required                                     pam_deny.so

account     required                                     pam_unix.so
account     sufficient                                   pam_localuser.so
account     sufficient                                   pam_usertype.so issystem
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required                                     pam_permit.so

password    required                                     pam_deny.so

session     optional                                     pam_keyinit.so revoke
session     required                                     pam_limits.so
-session    optional                                     pam_systemd.so
session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
session     required                                     pam_unix.so
session     optional                                     pam_sss.so
Comment 1 Pavel Březina 2021-03-31 12:06:31 UTC 
Benjamin, I believe this is fixed by https://src.fedoraproject.org/rpms/authselect/pull-request/10 right?
Comment 2 Benjamin Berg 2021-03-31 12:10:11 UTC 
Yep, that is the exact issue that the pull request is fixing.
Comment 3 Fedora Update System 2021-03-31 13:04:20 UTC 
FEDORA-2021-e3ec8618e9 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-e3ec8618e9
Comment 4 Fedora Update System 2021-04-01 02:04:17 UTC 
FEDORA-2021-e3ec8618e9 has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-e3ec8618e9`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-e3ec8618e9

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 5 Fedora Update System 2021-04-05 00:17:12 UTC 
FEDORA-2021-e3ec8618e9 has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.