Description of problem: When the fingerprint reader is enabled in authconfig, it adds pam_fprintd.so to /etc/pam.d/system-auth as a mandatory component to all login actions (except for those specified separately by GDM). It's impossible to SSH or telnet into the machine with a password, because there is no way to signal the fingerprint reader to skip input and move to the next item in the PAM stack. Furthermore, even if you remotely log in using kerberos or public key methods, you still cannot use sudo, because it will still require physical access to the fingerprint scanner. Version-Release number of selected component (if applicable): fprintd-0.1-9.git04fd09cfa.fc11.x86_64 authconfig-5.4.10-1.fc11.x86_64 How reproducible: Every time Steps to Reproduce: 1. Enable fingerprint scanner in authconfig 2. Attempt to log into the box using SSH with password (not kerberos or public key) 3. Actual results: Prompted to swipe your finger, which is impossible remotely. No option to skip the fingerprint scanner. Expected results: There should be an option to skip the scan and continue to other portions of the PAM stack, or ideally to skip prompting for the scan entirely when it is impossible. Additional info: Tested on a Lenovo Thinkpad T61 with Bus 003 Device 003: ID 0483:2016 SGS Thomson Microelectronics Fingerprint Reader
That's what this bit of code is supposed to avoid: pam_get_item(pamh, PAM_RHOST, (const void **)(const void*) &rhost); if (rhost != NULL && strlen(rhost) > 0) { /* remote login (e.g. over SSH) */ return PAM_AUTHINFO_UNAVAIL; } You're going to have to add debug to the pam_fprintd plugin, and see why it thinks the rhost is empty.
Sorry, changing the topic and summary. I found the bug that was preventing it from detecting the remote host, so SSH and telnet now works. The problem of trying to use sudo from a remote login shell remains, however. Steps to reproduce: 1. Enable fingerprint scanner in authconfig 2. Log in remotely using SSH/telnet to a user with sudo privileges. 3. Attempt to perform a sudo action. Actual results: Prompted to swipe finger. Expected results: Skip the fingerprint step.
(In reply to comment #2) > Sorry, changing the topic and summary. I found the bug that was preventing it > from detecting the remote host, so SSH and telnet now works. What was it? > The problem of > trying to use sudo from a remote login shell remains, however. > > Steps to reproduce: > 1. Enable fingerprint scanner in authconfig > 2. Log in remotely using SSH/telnet to a user with sudo privileges. > 3. Attempt to perform a sudo action. > > Actual results: > Prompted to swipe finger. > > Expected results: > Skip the fingerprint step.
Sorry, I should have specified that it was a bug in my own configuration, not in fprintd. It's not relevant any longer. On the other hand, the sudo issue is still relevant.
The pam_fprintd could possibly look at PAM_SERVICE item and return PAM_AUTHINFO_UNAVAIL for su, sudo, or runuser.
This message is a reminder that Fedora 11 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 11. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '11'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 11's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 11 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Fedora 11 changed to end-of-life (EOL) status on 2010-06-25. Fedora 11 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed.
the sudo issue still exists in Fedora 22.