Hide Forgot
+++ This bug was initially created as a clone of Bug #1169988 +++ This problem still exists exactly as described in Fedora 21. I will try to test with Fedora 24 once it's GA. Description of problem: When a user with a registered fingerprint attempts to use sudo, it prompts for the user to swipe their fingerprint. To instead use a password, the user must wait 30 seconds for the fallback to password authentication. This differs from gdm behaviour, where fingerprint and password are accepted in parallel, authenticating with whichever is received. The fingerprint timeout wait does not respond to ^C, like a password prompt does. Attempting to bypass the prompt with <ENTER> also does not work. However, after the fingerprint timeout, that <ENTER> keystroke is used as a password attempt, thus causing a failed password attempt, starting a new authentication attempt and another 30 second wait for a fingerprint. User input is not masked while waiting for the fingerprint timeout to occur, so user entry is echoed to the terminal. If the user types their password into sudo without noticing the "fingerprint" instead of a "password" message, their password is echoed to the terminal. That password will actually authenticate once the fingerprint timeout expires (as above with <ENTER>, input is passed to the password prompt). Additionally, I use my laptop while docked, and Fedora generally handles everything (monitor, etc) correctly. However, the built-in fingerprint reader is inaccessible when the lid is closed. gdm handles this situation fine, as it accepts password or fingerprint in parallel. However, sudo still waits for input from my inaccessible fingerprint reader. Version-Release number of selected component (if applicable): $ yum list installed \*fprint\* sudo Installed Packages fprintd.x86_64 0.5.1-3.fc21 installed fprintd-pam.x86_64 0.5.1-3.fc21 installed libfprint.x86_64 0.5.1-4.fc21 installed sudo.x86_64 1.8.8-7.fc21 installed How reproducible: Every time sudo requires authentication. Steps to Reproduce: 1. Have a fingerprint registered 2. $ sudo date 3. Don't use fingerprint for authentication Actual results: * Wait 30 seconds for password fallback * Wait 30 seconds for fingerprint, even if reader is inaccessible (Lid closed) * Input during 30 second timeout not masked * Input during 30 second timeout not cleared from buffer before accepting password Expected results: * Accept fingerprint OR password in parallel (like GDM) OR * Allow fingerprint wait message to be bypassed with CTRL-C * Clear input buffer before accepting a password Additional info: --- Additional comment from Fedora End Of Life on 2015-11-04 09:48:41 EST --- This message is a reminder that Fedora 21 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 21. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '21'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 21 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. --- Additional comment from Fedora End Of Life on 2015-12-02 00:24:28 EST --- Fedora 21 changed to end-of-life (EOL) status on 2015-12-01. Fedora 21 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.
Version information for F23: fprintd-0.6.0-3.fc23.x86_64 sudo-1.8.15-1.fc23.x86_64
I did some research about our problem and it looks like sudos behavior is correct. fprintd-pam does not handle any signal and it does not have any possible option to close fingerprint auth asynchronously so from sudos point of view there is nothing to do. Modifying sudo to do two auths simultaneously is nearly impossible. These features you were talking about are new and not implemented in fprintd-pam. So I'm switching this bug to fprintd.
Nothing to do with fprintd, this is a problem with PAM itself. GDM works around PAM's "one conversation at a time" by running multiple PAM conversations simultaneously. Consider this an RFE for sudo. Otherwise close the bug, it's impossible to fix with PAM.
This message is a reminder that Fedora 23 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 23. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '23'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 23 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fedora 23 changed to end-of-life (EOL) status on 2016-12-20. Fedora 23 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.
So this bug still exists and is a pain. (In reply to Bastien Nocera from comment #3) > Nothing to do with fprintd, this is a problem with PAM itself. GDM works > around PAM's "one conversation at a time" by running multiple PAM > conversations simultaneously. > > Consider this an RFE for sudo. Otherwise close the bug, it's impossible to > fix with PAM. As described in the bug's description, another resolution is for PAM to cancel the fingerprint auth using Ctrl-C. This is impossible currently, Ctrl-C is blocked, and you have to wait 60 seconds until you get the "enter password" prompt.
Can confirm Fedora 27 still affected by this bug
Ok, (In reply to sheepdestroyer from comment #7) > Can confirm Fedora 27 still affected by this bug Ok, setting concerned fields appropriately.
Oh ,sorry, seeing only now that you have already made a new clone, linking and closing this again. *** This bug has been marked as a duplicate of bug 1540454 ***