Open giorgiopiatti opened 3 years ago
@mvollmer can you please take a look?
1. Enable fingerprint auth
How do you do that exactly?
Oct 03 21:44:42 carbon cockpit-bridge[14282]: /usr/bin/sudo: incorrect protocol: received invalid length prefix
This means something unexpected has been inserted into stdout of sudo.
1. Enable fingerprint auth
How do you do that exactly?
I could reproduce this bug with a laptop that has a fingerprint reader. I used GNOME Settings to add a fingerprint to my account on that laptop, and after that, Cockpit can't successfully run sudo anymore, with exactly the errors and journal entries that you report above.
I think there are two problems:
Sudo asks for a fingerprint even for remote sessions, such as when logging in via SSH. I don't think it should do that since all you can do is wait for the timeout to happen (or hope that someone accidentally swipes their finger on the other end).
Cockpit trips over some unexpected output. Even if sudo asks for a fingerprint, it should be possible to wait for the timeout and then input the password.
I'll investigate both a bit, with priority on the latter.
Sudo asks for a fingerprint even for remote sessions, such as when logging in via SSH.
https://bugs.launchpad.net/ubuntu/+source/libfprint/+bug/776779, open since 2011...
- Cockpit trips over some unexpected output.
This is actually the expected "Swipe your finger across the fingerprint reader" message and the "Verification timed out" error, which I would expected to have gone to stderr.... hmm. But we are getting closer.
This is actually the expected "Swipe your finger across the fingerprint reader" message and the "Verification timed out" error, which I would expected to have gone to stderr....
Ok, sudo normally writes PAM messages to /dev/tty, but if it doesn't have a controlling terminal, it writes to stdout.
One option is for Cockpit to just ignore junk that comes before the first protocol message. Another is to give sudo a controlling tty.
@mvollmer any update on this with regards of https://github.com/cockpit-project/cockpit/pull/15293 ?
Cockpit version: 228 OS: Fedora 32
Hello
When I enable the option to authenticated by fingerprint in the OS I cannot anymore elevate my access to administrative mode. Steps to reproduce the issue:
Following the above steps, I get "protocol-error".
If I disable instead the fingerprint authentication, and by following the same steps as above I can successfully authenticate by providing my user password.