You are not logged in.
Pages: 1
Is there a way to ignore pam_fprintd.so if no fingerprints are defined (only password)?
My attempt was:
auth [default=1 success=ignore] pam_exec.so debug /bin/test -d "/var/lib/fprint/$(/usr/bin/printenv PAM_USER)"
auth required pam_fprintd.so timeout=10Explanation:
- fprintd-enroll saves its prints to /var/lib/fprint/{USERNAME}/...
- if this folder exists, I assume that some prints are enrolled (other solutions are welcome)
- if no folder exists (=no prints), pam should ignore the next line (default=1)
My usecase:
I deploy arch installations without fingerprints. Therefor the user log in with password only and should then enroll their fingerprints. After enrollment the login should only work with password AND fingerprint. Therefor 'reuqired' and not 'sufficient' in the pam config.
Offline
Have you tried instead checking for authinfo_unavail and treating that as ignore https://gitlab.freedesktop.org/libfprin … ntd.c#L355
pam_fprintd.so however also returns PAM_AUTHINFO_UNAVAIL for many other error cases.
Offline
That was my thought too. But as you noticed this error is returned on many other cases. So I don't know if I can trust it or if it just opens up a security hole. For example, destroy the sensor, which then possibly generates this error and thus allows access with the password only. What do you think?
Offline
Pages: 1