mirror of
https://gitlab.com/mishakmak/pam-fprint-grosshack.git
synced 2026-04-08 20:03:34 +02:00
b4f5304565
This commit makes pam_fprintd return PAM_UNKNOWN_USER when the user has not enrolled a fingerprint. This lets the administrator set up pam_fprintd as a required authentication, method, but only for users that have enrolled a fingerprint, as such: auth [success=ok user_unknown=ignore default=die] pam_fprintd.so max_tries=1 timeout=-1 auth [success=1 default=ignore] pam_unix.so nullok_secure auth requisite pam_deny.so With this config, users w/o an enrolled fingerprint will just be asked for a password. Users with an enrolled fingerprint will required to login using both their fingerprint and a password. https://bugs.freedesktop.org/show_bug.cgi?id=64781
PAM module for fingerprint authentication ----------------------------------------- Using: * Modify the appropriate PAM configuration file (/etc/pam.d/system-auth-ac on Fedora systems), and add the line: auth sufficient pam_fprintd.so before the line: auth sufficient pam_unix.so ... * You can now enroll fingerprints using fprintd-enroll. The first available fingerprint available will be used to log you in. Options: * You can add the "debug" option on the pam configuration file line above, this will log more information from PAM to the file specified in your syslog configuration (/var/log/secure by default on Fedora) Known issues: * pam_fprintd does not support identifying the user itself as that would mean having the fingerprint reader on for all the time the user selection is displayed, and could damage the hardware. It could be fixed by having gdm/login only start the PAM conversation when there is activity * pam_fprintd doesn't support entering either the password or a fingerprint, as pam_thinkfinger does, because it's a gross hack, and could be fixed by having the login managers run 2 separate PAM stacks