From 9ec1747b84256751f60b997fad8cee2332de1dd1 Mon Sep 17 00:00:00 2001 From: Benjamin Berg Date: Tue, 29 Jun 2021 20:27:35 +0200 Subject: [PATCH] Revert "pam_fprintd: Just return a PAM_AUTH_ERROR on unknown errors" This reverts commit ecf6b7c323fd5dd419f869c278e14f48f90e9952. The idea of the commit was to make device failures less fatal to the system. Unfortunately, we can fail quickly in this case, and returning PAM_AUTH_ERR means that the user might run into a retry limit due to this. Go back to reporting PAM_AUTHINFO_UNAVAIL, it appears as the lesser evil right now. Ideally we want to a way to tell the upper stack to retry authentication whenever there is a good opportunity, but to not consider it as an authentication failure. --- pam/pam_fprintd.c | 2 +- tests/pam/test_pam_fprintd.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/pam/pam_fprintd.c b/pam/pam_fprintd.c index c7bb617..58d15d7 100644 --- a/pam/pam_fprintd.c +++ b/pam/pam_fprintd.c @@ -565,7 +565,7 @@ do_verify (sd_bus *bus, } else if (str_equal (data->result, "verify-unknown-error")) { - return PAM_AUTH_ERR; + return PAM_AUTHINFO_UNAVAIL; } else if (str_equal (data->result, "verify-disconnected")) { diff --git a/tests/pam/test_pam_fprintd.py b/tests/pam/test_pam_fprintd.py index a874b64..be66818 100644 --- a/tests/pam/test_pam_fprintd.py +++ b/tests/pam/test_pam_fprintd.py @@ -97,7 +97,7 @@ class TestPamFprintd(dbusmock.DBusTestCase): ] self.device_mock.SetVerifyScript(script) - tc = pypamtest.TestCase(pypamtest.PAMTEST_AUTHENTICATE, expected_rv=PAM_AUTH_ERR) + tc = pypamtest.TestCase(pypamtest.PAMTEST_AUTHENTICATE, expected_rv=PAM_AUTHINFO_UNAVAIL) res = pypamtest.run_pamtest("toto", "fprintd-pam-test", [tc], [ 'unused' ]) self.assertRegex(res.info[0], r'Swipe your left little finger across the fingerprint reader')