search

NixOS / nixpkgs

Nix Packages collection & NixOS
MIT License
18.31k stars 14.28k forks source link

SDDM doesn't work with fingerprint login (fprintd) #239770

Open haizaar opened 1 year ago

haizaar commented 1 year ago

Describe the bug

SDDM doesn't work with fingerprint login - the whole thing appears to be "stuck". Arch wiki says it should work.

The same setup works fine if I use GDM instead.

Steps To Reproduce

Steps to reproduce the behavior:

  1. Add the following to configuration.nix 
    services.fprintd.enable = true;
services.fprintd.tod.enable = true;
services.fprintd.tod.driver = pkgs.libfprint-2-tod1-vfs0090;
services.xserver.displayManager.sddm.enable = true;
services.xserver.displayManager.defaultSession = "plasmawayland";
services.xserver.desktopManager.plasma5.enable = true;
  2. nixos-rebuild boot
  3. reboot

Expected behavior

On the login page, both password and fingerprint login will work. Instead neither work - if I use password login, the UI prompt gets disabled and never returns. plain your problem.

Additional context

Here are the relevant entries from journalctl

Jun 26 00:32:19 asgard sddm-greeter[1293]: Reading from "/nix/store/xkiir7rycm17fkj2hp3sx92j0n1mfiq6-desktops/share/wayland-sessions/plasmawayland.desktop"
Jun 26 00:32:19 asgard sddm[1245]: Message received from greeter: Login
Jun 26 00:32:19 asgard sddm[1245]: Reading from "/nix/store/xkiir7rycm17fkj2hp3sx92j0n1mfiq6-desktops/share/wayland-sessions/plasmawayland.desktop"
Jun 26 00:32:19 asgard sddm[1245]: Reading from "/nix/store/xkiir7rycm17fkj2hp3sx92j0n1mfiq6-desktops/share/wayland-sessions/plasmawayland.desktop"
Jun 26 00:32:19 asgard sddm[1245]: Session "/nix/store/xkiir7rycm17fkj2hp3sx92j0n1mfiq6-desktops/share/wayland-sessions/plasmawayland.desktop" selected, command: "/nix/store/vwbf3kwaxkbzf0symrmazfvz9yxjz3ca-plasma-workspace-5.27.6/libexec/plasma-dbus-run-session-if-needed /nix/sto
re/vwbf3kwaxkbzf0symrmazfvz9yxjz3ca-plasma-workspace-5.27.6/bin/startplasma-wayland"
Jun 26 00:32:19 asgard sddm-helper[1652]: [PAM] Starting...
Jun 26 00:32:19 asgard sddm-helper[1652]: [PAM] Authenticating...
Jun 26 00:32:19 asgard dbus-daemon[914]: [system] Activating via systemd: service name='net.reactivated.Fprint' unit='fprintd.service' requested by ':1.26' (uid=0 pid=1652 comm="/nix/store/24d11zm9h7vdz8w0hpqyw63np0k0qbs8-sddm-0" label="kernel")
Jun 26 00:32:19 asgard systemd[1]: Starting Fingerprint Authentication Daemon...
Jun 26 00:32:19 asgard kernel: usb 3-3: reset full-speed USB device number 2 using xhci_hcd
Jun 26 00:32:19 asgard dbus-daemon[914]: [system] Successfully activated service 'net.reactivated.Fprint'
Jun 26 00:32:19 asgard systemd[1]: Started Fingerprint Authentication Daemon.
Jun 26 00:32:19 asgard kernel: usb 3-3: reset full-speed USB device number 2 using xhci_hcd
Jun 26 00:32:20 asgard sddm-helper[1652]: [PAM] Preparing to converse...
Jun 26 00:32:20 asgard sddm-helper[1652]: [PAM] Conversation with 1 messages
Jun 26 00:32:20 asgard sddm[1245]: Authentication information: "Place your finger on the fingerprint reader"
Jun 26 00:32:24 asgard .xdg-desktop-po[1296]: Failed to create settings proxy: Error calling StartServiceByName for org.freedesktop.impl.portal.desktop.kde: Timeout was reached
Jun 26 00:32:24 asgard .xdg-desktop-po[1296]: No skeleton to export
Jun 26 00:32:27 asgard systemd[1]: systemd-hostnamed.service: Deactivated successfully.
Jun 26 00:32:30 asgard systemd-timesyncd[868]: Contacted time server 159.196.3.239:123 (2.nixos.pool.ntp.org).
Jun 26 00:32:30 asgard systemd-timesyncd[868]: Initial clock synchronization to Mon 2023-06-26 00:32:29.934841 AEST.
Jun 26 00:32:49 asgard .xdg-desktop-po[1296]: Failed to create file chooser proxy: Error calling StartServiceByName for org.freedesktop.impl.portal.desktop.kde: Timeout was reached
Jun 26 00:32:49 asgard .xdg-desktop-po[1296]: No skeleton to export
Jun 26 00:32:50 asgard sddm-helper[1652]: [PAM] Preparing to converse...
Jun 26 00:32:50 asgard sddm-helper[1652]: [PAM] Conversation with 1 messages
Jun 26 00:32:50 asgard sddm[1245]: Authentication information: "Verification timed out"

The full boot log is here

Notify maintainers

@abbradar @ttuegel

Metadata

[user@system:~]$ nix-shell -p nix-info --run "nix-info -m"
 - system: `"x86_64-linux"`
 - host os: `Linux 6.1.35, NixOS, 23.05 (Stoat), 23.05.1310.33223d479ff`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.13.3`
 - channels(root): `"home-manager-23.05.tar.gz, nixos-23.05"`
 - nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixos`
haizaar commented 1 year ago

Otherwise it will be great is someone can suggest how to override PAM configuration for SDDM to exclude the fingerprint (On the initial login I still prefer to use password to unlock the kwallet)

haizaar commented 1 year ago

Eventually I've used the following to reset SDDM config to pre-fingerprint state (note the mkForce):

  security.pam.services.sddm.text = pkgs.lib.mkForce ''
    # Account management.
    account required pam_unix.so

    # Authentication management.
    auth optional pam_unix.so nullok  likeauth
    auth optional ${pkgs.plasma5Packages.kwallet-pam}/lib/security/pam_kwallet5.so kwalletd=${pkgs.plasma5Packages.kwallet.bin}/bin/kwalletd5
    auth sufficient pam_unix.so nullok  likeauth try_first_pass
    auth required pam_deny.so

    # Password management.
    password sufficient pam_unix.so nullok yescrypt

    # Session management.
    session required pam_env.so conffile=/etc/pam/environment readenv=0
    session required pam_unix.so
    session required pam_loginuid.so
    session required ${pkgs.pam}/lib/security/pam_lastlog.so silent
    session optional ${config.systemd.package}/lib/security/pam_systemd.so
    session optional ${pkgs.plasma5Packages.kwallet-pam}/lib/security/pam_kwallet5.so kwalletd=${pkgs.plasma5Packages.kwallet.bin}/bin/kwalletd5
  '';
digitalnotions commented 1 year ago

The fingerprint login is working fine for me. Did you enroll fingerprints using fprintd-enroll?

My issue is that while fingerprint login works fine, if I try to use the password there's a very long delay. I believe this is due to a delay in a timeout of the fingerprint and then it accepts the password.

My hypothesis is that the first couple of lines need to be reversed in many of the auth files. For example in /etc/pam.d/kde, I currently have:

# Account management.
account required pam_unix.so

# Authentication management.
auth sufficient /nix/store/d438ss528yz53y28kf1s2apm49irwjh7-fprintd-1.94.2/lib/security/pam_fprintd.so
auth sufficient pam_unix.so nullok  likeauth try_first_pass

I believe that under the # Authentication management section, those lines should be reversed such that the pam_unix.so line is above the pam_fprintd.so line.

The same holds true for /etc/pam.d/login where the pam_fprintd.so is above the pam_unix.so.

haizaar commented 1 year ago

Are you on 23.05 or unstable? - sddm 0.20 has been recently merged into unstable and is substantially different. Fingerprints work fine on my system for VT login, sudo, screen-unlock, 1password, etc. but when pam_fdpring.so is enabled for sddm then I can not login through it using either way.

haizaar commented 1 year ago

It's not a major issue (except for the time it took to hack it) since kdewallet doesn't support fingerprint unlock anyway and hence I need to type my password on login anyways.

digitalnotions commented 1 year ago

@haizaar - I'm on unstable. I am now having issues were I cannot use the password if I want to - which is really annoying when my laptop is docked and I don't want to open the lid.

I think I'm going to disable now too since, as you mentioned, I have to type in my password for kdewallet anyway.

nbdd0121 commented 11 months ago

I also ran into this issue recently, and my workaround is to have

security.pam.services.login.fprintAuth = false;

This disables fingerprint login, but keeps fingerprint unlock.

lordkekz commented 11 months ago

I'm also using this workaround, but I noticed that when you keep fingerprint unlock enabled, it has the same issue with waiting 30 seconds if you only type the password. I also disable the fingerprint unlock by adding: (I'm on KDE Plasma 5.27.10)

security.pam.services.kde.fprintAuth = false;

Note that I can still use fingerprints for the rest of the pam services, like sudo.

pantsman0 commented 10 months ago

@haizaar I don't know if you're still having trouble with this but I have some insight. My sddm login does the same thing and give the same message in the log: Jun 26 00:32:20 asgard sddm[1245]: Authentication information: "Place your finger on the fingerprint reader"

fprintd login is working, but the sddm bug is that it doesn't show the pam message. If the login in hanging after you put in your password, just use your fingerprint. It is waiting, it just isn't telling you.