Hello,
I am experiencing an issue with greetd and tuigreet when integrating Fprintd into PAM that results in the ability to login without the correct password or fingerprint.
I would like to assume that the likely issue is user configuration (my mistake), but I can't see it yet, and want to open this discussion in case it could be a problem.
I have tried attaching public key, and making this plain text, but I don't have experience communicating through mailing lists, so I apologize if there are problems with email. I can fix any problems as I learn to communicate this way.
Best,
Stephen
> I am experiencing an issue with greetd and tuigreet when integrating Fprintd into PAM that results in the ability to login without the correct password or fingerprint.
>
> I would like to assume that the likely issue is user configuration (my mistake), but I can't see it yet, and want to open this discussion in case it could be a problem.
In the config you shared on IRC, both pam_unix.so and pam_fprintd.so
were set to `sufficient`, which means that PAM stops immediately on
success, but ignore failure.
You probably want something like the following, which should jump across
the fprintd module if unix succeeds but ignores failure and moves on to
fprintd, which then interrupts everything on failure.
auth requisite pam_nologin.so auth [success=1 default=ignore]
pam_unix.so try_first_pass nullok
auth [success=ok default=die] pam_fprintd.so
auth required pam_env.so
Untested. See `man 5 pam.conf` for more information.