Description of problem: After upgrading from F33 to F34, fingerprint login in GNOME stopped working for me, both on the lock screen and in GDM. It constantly fails with an error after successfully recognizing my fingerprint. However fingerprint authentication still works with sudo and pop-up administrator prompts in GNOME. After some digging, I found it to be caused by an incorrect config in /etc/pam.d/fingerprint-auth which is generated by authselect. Changing the line "auth required pam_fprintd.so" to "auth sufficient pam_fprintd.so" fixed the fingerprint login issue. This was not an issue in F33, as shown in the F33 config I pasted at the bottom. Version-Release number of selected component (if applicable): authselect-1.2.2-6.fc34.x86_64 pam-1.5.1-3.fc34.x86_64 How reproducible: Every time on my setup Steps to Reproduce: 1. Regenerate authselect config for fingerprint auth: sudo authselect select --force sssd sudo authselect enable-feature with-fingerprint 2. Check /etc/pam.d/fingerprint-auth for the line "auth required pam_fprintd.so" 3. Lock the screen and attempt to unlock with fingerprint 4. Fingerprint authentication will fail 5. Replace "auth required pam_fprintd.so" with "auth sufficient pam_fprintd.so" in /etc/pam.d/fingerprint-auth 6. Fingerprint authentication will succeed Actual results: Fingerprint login fails Expected results: Fingerprint login succeeds Additional info: /etc/pam.d/fingerprint-auth on Fedora 34: # Generated by authselect on Fri Mar 26 09:41:24 2021 # Do not modify this file manually. auth required pam_env.so auth required pam_fprintd.so auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_usertype.so issystem account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so /etc/pam.d/fingerprint-auth on Fedora 33: # Generated by authselect on Mon Mar 8 20:00:25 2021 # Do not modify this file manually. auth required pam_env.so auth sufficient pam_fprintd.so auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_usertype.so issystem account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so
Benjamin, I believe this is fixed by https://src.fedoraproject.org/rpms/authselect/pull-request/10 right?
Yep, that is the exact issue that the pull request is fixing.
FEDORA-2021-e3ec8618e9 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-e3ec8618e9
FEDORA-2021-e3ec8618e9 has been pushed to the Fedora 34 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-e3ec8618e9` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-e3ec8618e9 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2021-e3ec8618e9 has been pushed to the Fedora 34 stable repository. If problem still persists, please make note of it in this bug report.