PAM fingerprint login blocks password

Question

Is there a way to make PAM run authentication modules in parallel?

For all people who use PAM this may be useful.

It seems that PAM runs authentication modules in sequence and blocking.

What that means for people who would like to use multiple authentication mechanisms, is that we have to have a hierarchy of methods that isn't obstructive.

The issue that I'm trying to solve is this - GNome keyring requires a password to unlock, but I also have pam_fprintd active... and am playing around with the face recognition camera.

That means that when I login for the first time - first the pam_fprintd blocks, then face recognition blocks and only then I can type in my password.

That happens with sudo as well. Which is a major PITA.

I have the same question. It feels wrong to wait for the fingerprint reader to time out before `sudo` asks for a password. But imagine if they ran in parallel. The terminal would be waiting for your password when the fingerprint reader finishes. There's no way to tell the keyboard to stop because the fingerprint auth passed. I think the proper solution will be either [1] use different PAM sequence for each type of operation (login vs ssh vs sudo vs screen unlock) or [2] one authentication GUI program that can handle all three methods and completes when the first one passes. — Alan Porter, Oct 25 '20 at 00:55
@AlanPorter In a desktop environment - look at unfrustrating MacOSX or Windows. Fingerprint PAM module is only useful in a desktop environment. It seems that CLI based auth is complicated even for Apple, they don't allow fingerprint auth. — Aleksandr Panzin, Jul 06 '22 at 19:20

score 1 · Answer 1 · answered Apr 09 '23 at 15:04

Facing the same problem, I think it is not solvable with PAM alone. From the manual page of pam_fprintd.so (man pam_fprintd):

LIMITATIONS

The PAM stack is by design a serialised authentication, so it is not possible for pam_fprintd to allow authentication through passwords and fingerprints at the same time.

It is up to the application using the PAM services to implement separate PAM processes and run separate authentication stacks separately. This is the way multiple authentication methods are made available to users of gdm for example.

The GNOME display manager (gdm3) that e.g. allows for password and fingerprint entry in parallel (requiring only one of them but not both) implemented multiple auth stacks in parallel on its own.

I also found a GitHub issue in the linux-pam repository where there was a discussion over two years if PAM should support this, if any RFCs are for or against it - but in the end, it seems that devs didn't pick it up.

In the end this makes this answer a no-answer (unfortunately) until linux-pam or a third party will implement some generic extension to PAM to allow for multiple authentication modules in parallel.

score 0 · Answer 2 · answered Mar 26 '23 at 17:45

0

If you're using fprint version 1.92 or greater than you can press Ctrl+C to stop trying to use the fingerprint and switch to authentication via password: commit that implemented this.

answered Mar 26 '23 at 17:45

Jason Axelson

415
3
7

That's only in CLI. Login Window still blocks. – Aleksandr Panzin Apr 10 '23 at 16:00

PAM fingerprint login blocks password

2 Answers2