https://bugs.kde.org/show_bug.cgi?id=521188
Bug ID: 521188
Summary: Fingerprint hint remains visible on lock screen after
pam_fprintd max-tries
Classification: Plasma
Product: plasmashell
Version First 6.6.4
Reported In:
Platform: Other
OS: Linux
Status: REPORTED
Severity: normal
Priority: NOR
Component: Screen locking
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: 1.0
SUMMARY
The lock screen continues to show the fingerprint hint ("or scan your
fingerprint on the reader") after pam_fprintd has exhausted its max-tries limit
and stopped listening for further fingerprint scans. This is misleading because
the UI still suggests that fingerprint authentication is active, while touching
the sensor no longer produces any response.
STEPS TO REPRODUCE
1. Have at least one fingerprint enrolled.
2. Have the kde-fingerprint PAM service configured to use pam_fprintd.
3. Lock the screen.
4. Trigger fingerprint verification failures until pam_fprintd reaches its
max-tries limit. The default appears to be 3.
5. Observe that fprintd releases the device and no further VerifyStart call is
made.
6. Look at the fingerprint hint on the lock screen.
OBSERVED RESULT
The fingerprint hint remains visible indefinitely, even though fingerprint
verification is no longer active for the current authentication attempt.
Touching the fingerprint reader produces no response.
EXPECTED RESULT
Once pam_fprintd gives up because max-tries has been reached, the fingerprint
hint should disappear or change to a message such as "Fingerprint
authentication is no longer active; please use your password."
NOTES / POSSIBLE CAUSE
>From reading the lock screen QML, my best guess is that the hint visibility is
currently based on whether the fingerprint authentication type is available,
rather than whether it is currently active.
In plasma-desktop's lockscreen/MainBlock.qml, FailableLabel appears to use
something like:
```
visible: authenticator.authenticatorTypes & kind
```
If this reflects only the availability of an authentication method, the
Fingerprint bit remains set as long as a fingerprint device is
present/enrolled, even after pam_fprintd has returned after max-tries. As a
result, the QML has no state that tells it to hide or update the fingerprint
hint for the current authentication attempt.
SUGGESTED FIX
Expose a separate state from the Authenticator class for authentication methods
that are currently active in the current authentication attempt, for example
activeAuthenticatorTypes or an equivalent per-kind state. FailableLabel.visible
could then use that active state rather than the availability state.
Alternatively, expose a per-kind "exhausted" or "unavailable for current
attempt" state so the label can show a clearer message instead of disappearing
silently.
SOFTWARE/OS VERSIONS
Operating System: NixOS unstable
KDE Plasma Version: 6.6.4
kscreenlocker: 6.6.4
fprintd: 1.94.5
pam_fprintd: from fprintd 1.94.5
--
You are receiving this mail because:
You are watching all bug changes.
