Bug 506058

Summary: Enabling fingerprint reader prevents remote sudo access
Product: [Fedora] Fedora Reporter: Stephen Gallagher <sgallagh>
Component: fprintdAssignee: Bastien Nocera <bnocera>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 11CC: bnocera, linuxaudio, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-06-28 13:01:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Stephen Gallagher 2009-06-15 12:38:59 UTC 
Description of problem:
When the fingerprint reader is enabled in authconfig, it adds pam_fprintd.so to /etc/pam.d/system-auth as a mandatory component to all login actions (except for those specified separately by GDM).

It's impossible to SSH or telnet into the machine with a password, because there is no way to signal the fingerprint reader to skip input and move to the next item in the PAM stack. Furthermore, even if you remotely log in using kerberos or public key methods, you still cannot use sudo, because it will still require physical access to the fingerprint scanner.

Version-Release number of selected component (if applicable):
fprintd-0.1-9.git04fd09cfa.fc11.x86_64
authconfig-5.4.10-1.fc11.x86_64

How reproducible:
Every time

Steps to Reproduce:
1. Enable fingerprint scanner in authconfig
2. Attempt to log into the box using SSH with password (not kerberos or public key)
3. 
  
Actual results:
Prompted to swipe your finger, which is impossible remotely. No option to skip the fingerprint scanner.

Expected results:
There should be an option to skip the scan and continue to other portions of the PAM stack, or ideally to skip prompting for the scan entirely when it is impossible.

Additional info:
Tested on a Lenovo Thinkpad T61 with
Bus 003 Device 003: ID 0483:2016 SGS Thomson Microelectronics Fingerprint Reader
Comment 1 Bastien Nocera 2009-06-15 13:02:56 UTC 
That's what this bit of code is supposed to avoid:
        pam_get_item(pamh, PAM_RHOST, (const void **)(const void*) &rhost);
        if (rhost != NULL && strlen(rhost) > 0) {
                /* remote login (e.g. over SSH) */
                return PAM_AUTHINFO_UNAVAIL;
        }

You're going to have to add debug to the pam_fprintd plugin, and see why it thinks the rhost is empty.
Comment 2 Stephen Gallagher 2009-06-15 13:15:50 UTC 
Sorry, changing the topic and summary. I found the bug that was preventing it from detecting the remote host, so SSH and telnet now works. The problem of trying to use sudo from a remote login shell remains, however.

Steps to reproduce:
1. Enable fingerprint scanner in authconfig
2. Log in remotely using SSH/telnet to a user with sudo privileges.
3. Attempt to perform a sudo action.

Actual results:
Prompted to swipe finger.

Expected results:
Skip the fingerprint step.
Comment 3 Bastien Nocera 2009-06-17 14:39:37 UTC 
(In reply to comment #2)
> Sorry, changing the topic and summary. I found the bug that was preventing it
> from detecting the remote host, so SSH and telnet now works.

What was it?
> The problem of
> trying to use sudo from a remote login shell remains, however.
> 
> Steps to reproduce:
> 1. Enable fingerprint scanner in authconfig
> 2. Log in remotely using SSH/telnet to a user with sudo privileges.
> 3. Attempt to perform a sudo action.
> 
> Actual results:
> Prompted to swipe finger.
> 
> Expected results:
> Skip the fingerprint step.
Comment 4 Stephen Gallagher 2009-06-17 14:44:52 UTC 
Sorry, I should have specified that it was a bug in my own configuration, not in fprintd. It's not relevant any longer.

On the other hand, the sudo issue is still relevant.
Comment 5 Tomas Mraz 2009-06-17 14:48:50 UTC 
The pam_fprintd could possibly look at PAM_SERVICE item and return PAM_AUTHINFO_UNAVAIL for su, sudo, or runuser.
Comment 6 Bug Zapper 2010-04-27 14:56:22 UTC 
This message is a reminder that Fedora 11 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 11.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '11'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 11's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 11 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 7 Bug Zapper 2010-06-28 13:01:47 UTC 
Fedora 11 changed to end-of-life (EOL) status on 2010-06-25. Fedora 11 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.
Comment 8 Felix Homann 2015-09-10 13:42:37 UTC 
the sudo issue still exists in Fedora 22.