https://bugs.kde.org/show_bug.cgi?id=483130
Charitakis Yannis <kde-yan...@ych.gr> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |kde-yan...@ych.gr
--- Comment #1 from Charitakis Yannis <kde-yan...@ych.gr> ---
Hello all,
After installing and configuring the fingerprint sensor, I had the same issue
as above.
But I think I have found a workaround.
Please note however that I am far from an expert and I maybe wrong.
I am on EndeavourOS using KDE Plasma 6.0.2, linux 6.6.22-1-lts on a thinkpad
X270.
Based on man pam_fprintd:
```
LIMITATIONS
The PAM stack is by design a serialised authentication, so it is not possible
for pam_fprintd to allow authentication through passwords and
fingerprints at the same time. It is up to the application using the PAM
services to implement separate PAM processes and run separate authentication
stacks separately. This is the way multiple authentication methods are made
available to users of gdm for example.
```
Since kscreenlocker does permit both password and finderprint at the same time,
I believe this is what it does.
That is, it uses two separate PAM processes:
One, let's call it password PAM process, is using the /etc/pam.d/kde
configuration.
The other, let's call it fingerprint PAM process, using the
/etc/pam.d/kde-fingerprint configuration.
kscreenlocker will unlock if any of the two above PAM processes succeeds.
The other however will fail.
When using the password PAM process, succesful login will clear the previous
faillock incidents.
This is what it happens by observing the contents of the original
/etc/pam.d/kde.
The fingerprint PAM process though, differs.
Unfortunately I didn't keep the original /etc/pam.d/kde-fingerprint, but the
updated
seems to work correctly:
[root@gordon pam.d]# cat kde-fingerprint
#%PAM-1.0
auth required pam_shells.so
auth requisite pam_nologin.so
auth requisite pam_faillock.so preauth # <--- I
think I added this line
-auth required pam_fprintd.so
auth optional pam_permit.so
auth required pam_env.so
auth required pam_faillock.so authsucc # <--- I
think I added this line
account requisite pam_faillock.so preauth # <---
Surely added this line
account include system-local-login
account required pam_faillock.so authsucc # <---
Surely added this line
password required pam_deny.so
session include system-local-login
[root@gordon pam.d]#
The above change was based on the following note from pam_faillock:
[...] Due to complications in the way the PAM stack can be configured it is
also possible to call pam_faillock as an account module. In such configuration
the module must be also called in the preauth stage.[...]
Using the above configuration and unlocking multiple times using the
fingerprint works ok.
Still though, there is a single faillock incident after each try, but they do
not accumulate.
Faillock is being reset by the fingerprint PAM process and just after reset the
password PAM process registers a failed incident.
--
You are receiving this mail because:
You are watching all bug changes.
