Bug 1943406 - authselect generates bad pam config for fingerprint-auth
Summary: authselect generates bad pam config for fingerprint-auth
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: authselect
Version: 34
Hardware: x86_64
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Pavel Březina
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-03-26 02:01 UTC by Connor Lim
Modified: 2021-04-05 00:17 UTC (History)
3 users (show)

Fixed In Version: authselect-1.2.3-1.fc34
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-04-05 00:17:12 UTC
Type: Bug


Attachments (Terms of Use)

Description Connor Lim 2021-03-26 02:01:32 UTC
Description of problem:
After upgrading from F33 to F34, fingerprint login in GNOME stopped working for me, both on the lock screen and in GDM. It constantly fails with an error after successfully recognizing my fingerprint. However fingerprint authentication still works with sudo and pop-up administrator prompts in GNOME.

After some digging, I found it to be caused by an incorrect config in /etc/pam.d/fingerprint-auth which is generated by authselect. Changing the line "auth required pam_fprintd.so" to "auth sufficient pam_fprintd.so" fixed the fingerprint login issue. 

This was not an issue in F33, as shown in the F33 config I pasted at the bottom.

Version-Release number of selected component (if applicable):
authselect-1.2.2-6.fc34.x86_64
pam-1.5.1-3.fc34.x86_64

How reproducible:
Every time on my setup

Steps to Reproduce:
1. Regenerate authselect config for fingerprint auth:
sudo authselect select --force sssd
sudo authselect enable-feature with-fingerprint
2. Check /etc/pam.d/fingerprint-auth for the line "auth required pam_fprintd.so"
3. Lock the screen and attempt to unlock with fingerprint
4. Fingerprint authentication will fail
5. Replace "auth required pam_fprintd.so" with "auth sufficient pam_fprintd.so" in /etc/pam.d/fingerprint-auth
6. Fingerprint authentication will succeed

Actual results:
Fingerprint login fails

Expected results:
Fingerprint login succeeds

Additional info:

/etc/pam.d/fingerprint-auth on Fedora 34:

# Generated by authselect on Fri Mar 26 09:41:24 2021
# Do not modify this file manually.

auth        required                                     pam_env.so
auth        required                                     pam_fprintd.so
auth        required                                     pam_deny.so

account     required                                     pam_unix.so
account     sufficient                                   pam_localuser.so
account     sufficient                                   pam_usertype.so issystem
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required                                     pam_permit.so

password    required                                     pam_deny.so

session     optional                                     pam_keyinit.so revoke
session     required                                     pam_limits.so
-session    optional                                     pam_systemd.so
session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
session     required                                     pam_unix.so
session     optional                                     pam_sss.so



/etc/pam.d/fingerprint-auth on Fedora 33:

# Generated by authselect on Mon Mar  8 20:00:25 2021
# Do not modify this file manually.

auth        required                                     pam_env.so
auth        sufficient                                   pam_fprintd.so
auth        required                                     pam_deny.so

account     required                                     pam_unix.so
account     sufficient                                   pam_localuser.so
account     sufficient                                   pam_usertype.so issystem
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required                                     pam_permit.so

password    required                                     pam_deny.so

session     optional                                     pam_keyinit.so revoke
session     required                                     pam_limits.so
-session    optional                                     pam_systemd.so
session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
session     required                                     pam_unix.so
session     optional                                     pam_sss.so

Comment 1 Pavel Březina 2021-03-31 12:06:31 UTC
Benjamin, I believe this is fixed by https://src.fedoraproject.org/rpms/authselect/pull-request/10 right?

Comment 2 Benjamin Berg 2021-03-31 12:10:11 UTC
Yep, that is the exact issue that the pull request is fixing.

Comment 3 Fedora Update System 2021-03-31 13:04:20 UTC
FEDORA-2021-e3ec8618e9 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-e3ec8618e9

Comment 4 Fedora Update System 2021-04-01 02:04:17 UTC
FEDORA-2021-e3ec8618e9 has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-e3ec8618e9`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-e3ec8618e9

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 5 Fedora Update System 2021-04-05 00:17:12 UTC
FEDORA-2021-e3ec8618e9 has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.