~kennylevinsen/greetd-devel

1

Greetd and tuidreet Password and Fingerprint Bypass when Leveraging Fprintd in PAM

Details
Message ID
<RJBTjlFdJPV7a7_I5ubWCM_TkpiM_QA4DNg236UlT9vFOqKnOZObzZR8aBlhcmxTXMDKqC3aXh7UFKqqmLkhUDrG3c_6vZwqVfkzeeuRsCE=@theandar1an.com>
DKIM signature
pass
Download raw message
Hello,

I am experiencing an issue with greetd and tuigreet when integrating Fprintd into PAM that results in the ability to login without the correct password or fingerprint. 

I would like to assume that the likely issue is user configuration (my mistake), but I can't see it yet, and want to open this discussion in case it could be a problem. 

I have tried attaching public key, and making this plain text, but I don't have experience communicating through mailing lists, so I apologize if there are problems with email. I can fix any problems as I learn to communicate this way. 

Best, 
Stephen
Details
Message ID
<e7adc67d-5e2c-4e78-bd57-fca8a08c776e@kl.wtf>
In-Reply-To
<RJBTjlFdJPV7a7_I5ubWCM_TkpiM_QA4DNg236UlT9vFOqKnOZObzZR8aBlhcmxTXMDKqC3aXh7UFKqqmLkhUDrG3c_6vZwqVfkzeeuRsCE=@theandar1an.com> (view parent)
DKIM signature
pass
Download raw message
> I am experiencing an issue with greetd and tuigreet when integrating Fprintd into PAM that results in the ability to login without the correct password or fingerprint.
>
> I would like to assume that the likely issue is user configuration (my mistake), but I can't see it yet, and want to open this discussion in case it could be a problem.

In the config you shared on IRC, both pam_unix.so and pam_fprintd.so 
were set to `sufficient`, which means that PAM stops immediately on 
success, but ignore failure.

You probably want something like the following, which should jump across 
the fprintd module if unix succeeds but ignores failure and moves on to 
fprintd, which then interrupts everything on failure.

auth requisite pam_nologin.so auth [success=1 default=ignore] 
pam_unix.so try_first_pass nullok
auth       [success=ok default=die]    pam_fprintd.so
auth required pam_env.so

Untested. See `man 5 pam.conf` for more information.
Reply to thread Export thread (mbox)