Hi, On Tue, 2021-03-02 at 15:31 +0100, Hans de Goede wrote: > On 3/1/21 9:15 PM, Ray Strode wrote: > > [...] > > > Any debugging options which I can enable somewhere to show the > > > pam_fprintd error ? > > you can put "debug" on the ends of the lines that say > > pam_fprintd.so > > in /etc/pam.d/fingerprint-auth > > that should make the journal more chatty. > > Ah, I think now we are getting somewhere. I have a script which I run to > tweak new / upgraded installs to lower the amount of services which are > running be default (mostly because of the 1G/2G RAM x86 Windows tablets > which I try to support as a side project). This script contains the following: > > sudo authselect select minimal > sudo authselect apply-changes > > Which results in the following /etc/pam.d/fingerprint-auth file: > > [hans@x1 linux]$ sudo cat /etc/pam.d/fingerprint-auth > # Generated by authselect on Tue Mar 2 15:24:53 2021 > # Do not modify this file manually.
So, an empty file means that we will hit the /etc/pam.d/other fallback, which does "auth required pam_deny.so". This means, the GDM stack that includes it using "substack" will fail with PAM_AUTH_ERR. This does not seem very helpful. For GDM, it would make more sense to return an error code that allows us to know that it isn't a normal authentication failure. If we instead change it so that the file is not empty, but rather contains: auth required pam_debug.so auth=authinfo_unavail Then everything would work as expected. Plus, we may be able to drop the requirement to update the GDM configuration in the long term. Pavel, would it be possible to make this (or a similar) change in authselect, so that the stack returns a saner error when it is empty? Benjamin PS: Thanks to Ray and Marco for the IRC discussions to figure this out more.
signature.asc
Description: This is a digitally signed message part
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
