Hi, if the home directory needs to be decrypted during login then we really need a password for authentication, etc. And, that means that fingerprint login must not be used (if we are authenticating to log in the user).
I have not looked at pam_systemd_home.so more closely. But, if we need the user's password, we need to either immediately return PAM_AUTHINFO_UNAVAIL (GDM) or skip fingerprint auth (TTY). My thinking is, that we can easily add an option to pam_systemd_home.so so that it returns an error condition telling us whether an authentication token is needed or if a specific type of authentication is acceptable (e.g. smartcard/fingerprint). This would allow us to either jump over the pam_fprintd.so module or create rules to immediately error out. Does anyone know what is already possible, or is there someone willing to add the required feature to implement it? Benjamin
signature.asc
Description: This is a digitally signed message part