search

elementary / greeter

Login and Lock Screen greeter for elementary OS and Pantheon, using LightDM
GNU General Public License v3.0
151 stars 39 forks source link

Allow fingerprint login together with password login #502

Open vjr opened 3 years ago

vjr commented 3 years ago

Problem

Currently if fingerprint login is enabled via installing the fprintd package and editing the /etc/pam.d/lightdm file to add auth sufficient pam_fprintd.so line then the greeter does not allow you to login by entering your password until the fingerprint module times out.

Proposal

Allow users to login via fingerprint swipe or via entering their password whichever one is correctly attempted first.

Prior Art

Stock ubuntu focal 20.04 gdm login screen lets you login using either fingerprint or entering password - one does not block the other.

agrawalsourav98 commented 2 years ago

For me if I type in the password it freezes and the only option that remains is restarting lightdm. This means I lose all the windows and progress.

casasfernando commented 1 year ago

Having the same issue on elementary OS 6.1 fully updated. This is indeed an extremely annoying bug.

vjr commented 11 months ago

Revisiting this issue, it seems you need to properly configure your pam modules.

My /etc/pam.d/common-auth looks like this at the top and it appears to be working:

auth    [success=2 default=ignore]  pam_fprintd.so max-tries=1 timeout=10 nullok # debug
auth    [success=1 default=ignore]  pam_unix.so nullok try_first_pass
casasfernando commented 11 months ago

I'm not sure this will solve the behavior mentioned in https://github.com/elementary/greeter/issues/502#issuecomment-1027732726 which I'm also suffering. This is how my /etc/pam.d/common-auth looks like for a long time now, as I'm also using howdy ("face ID"):

#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
auth    [success=3 default=ignore]      pam_python.so /lib/security/howdy/pam.py
auth    [success=2 default=ignore]  pam_fprintd.so max-tries=1 timeout=10 # debug
auth    [success=1 default=ignore]  pam_unix.so nullok try_first_pass
# here's the fallback if no module succeeds
auth    requisite           pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth    required            pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth    optional            pam_cap.so 
# end of pam-auth-update config

And while it generally works, if I type my password while face auth or fingerprint auth is ongoing, the greeter will stop working and I will have to gracefully reboot the system (the shutdown button in the greeter still works) killing my running session. On the other hand if I wait for face auth to timeout and then use fingerprint auth or wait for that also to timeout and then I enter my password, everything works as expected. All in all it seems that while one auth method is ongoing, none of the others can be tried/used or the greeter will break.

PS: this is still the case with elementary OS 7 PS2: @vjr I'm not sure using nullok in the fingerprint auth line makes sense since this is to allow empty/blank passwords according to pam's manual page

vjr commented 11 months ago

Can you try adding "nullok" to your howdy entry too?

Perhaps these changes can be made only to the lightdm auth file and not the common auth so it works only for the greeter and doesn't interfere with console sudo etc?

casasfernando commented 11 months ago

@vjr I tried adding nullok to both lines (howdy and fprintd) but it doesn’t help. If I enter my password before fingerprint auth times out the password field is greyed out but login doesn’t happen and I need to reboot to be able to login again.

vjr commented 11 months ago

@casasfernando btw I tried the latest howdy off the github sources (v3.0.0 beta) and it's been reworked to include a proper PAM module itself ( pam_howdy.so ) which runs the python code and it appears to be working well for me! I have a Logitech BRIO IR-capable cam attached to my desktop PC.

I have noticed the login works only upon initial bootup (greeter startup) and if you log out or lock the screen it does NOT login back again unless you scroll the user cards. I added a temporary second user to my computer to test this.

Seems there's a call to LightDM.Greeter.authenticate () when the switch_to_card () method is called I guess, so if I can figure out a small patch to the greeter to work properly that would be cool.