For some operations, i.e. listing the enrolled prints, the device
does not need to be claimed. Therefore the claiming can be delayed
until we actually start the verification process, allowing us to
query the fingerprint system if the user has any prints enrolled.
https://bugs.freedesktop.org/show_bug.cgi?id=99811
This commit makes pam_fprintd return PAM_UNKNOWN_USER when
the user has not enrolled a fingerprint.
This lets the administrator set up pam_fprintd as a required
authentication, method, but only for users that have enrolled a
fingerprint, as such:
auth [success=ok user_unknown=ignore default=die] pam_fprintd.so max_tries=1 timeout=-1
auth [success=1 default=ignore] pam_unix.so nullok_secure
auth requisite pam_deny.so
With this config, users w/o an enrolled fingerprint will just be
asked for a password. Users with an enrolled fingerprint will
required to login using both their fingerprint and a password.
https://bugs.freedesktop.org/show_bug.cgi?id=64781
pam_fprintd is very careful to use its own main loop context (as it
should) to prevent getting in the way of the gnome-screensaver.
Unfortunately, there's a small bug in its logic where it ends up
removing a random file descriptor from the default context. In the
bug report that file descriptor is really important. It's what
tells gnome-screensaver when to drop the dialog.
The patch is as simple as:
- g_source_remove (timeout_id);
+ g_source_destroy (source);
(g_source_remove always operates on the default context)
https://bugzilla.redhat.com/show_bug.cgi?id=614573
Pretty hacky way to detect whether the device we're handling has
been disconnected during a verify or enrollment. This should allow
us to avoid users having to wait when somebody pulls the plug.
On Mon, 2009-01-12 at 12:18 +0000, Konstantin V. Gavrilenko wrote:
> Hi Bastien,
>
> by default the fprintd installs the pam_fprintd into the /usr/lib64/security, whil egentoo searches them in /lib/security.
> So I simply simlinked it to the correct location /usr/lib64/security/pam_fprintd.so to /lib/security/pam_fprintd.so
> I've removed the symlink, and copied the file, but it does not change anything, the same error appears.
>
> As you asked, recompiled some of the packages with "-O1 -gddb" and "nostrip" options.
> #4 0x00007fa3344a3899 in dbus_connection_unref (connection=0x624e20) at dbus-connection.c:2686
> __FUNCTION__ = "dbus_connection_unref"
> #5 0x00007fa334915284 in pam_sm_authenticate (pamh=0x6105c0, flags=<value optimized out>, argc=<value optimized out>, argv=<value optimized out>) at pam_fprintd.c:375
> rhost = 0x0
> username = 0x610740 "root"
> i = <value optimized out>
> r = 0
Could you please test the attached patch?
Cheers
- Use D-Bus native properties instead of a GetProperties call.
- Fix a number of front-ends by registering the right signals and
marshallers following the "done" signal argument addition
- Fix VerifyStart call in the pam module
1) Set up our own D-Bus (private) connection
2) Set up our own main loop and main loop context
This means we finally work right within gnome-screensaver!
