[Fingerforce-devel] Bug#1027977: libpam-fprintd: Disabled retries make fingerprint auth unreliable

Marcus Thiesen marcus at more-thiesen.de
Thu Jan 5 12:58:07 GMT 2023 

Package: libpam-fprintd
Version: 1.94.2-2
Severity: normal

Dear Maintainer,

max_tries for pam fprintd is set to 1 in Debian/Ubuntu, which means no
retry. I would expect at least some retries when I have a failed
fingerprint auth attempt.

It comes from this commit:
commit d90232eaf6ce050ed494d9fb9cd8464ba595468f
Author: Didier Raboud <odyx at debian.org>
Date:   Mon May 14 20:18:40 2012 +0200

    Allow one to configure max_tries and timeout with a patch.

diff --git a/debian/pam-configs/fprintd b/debian/pam-configs/fprintd
index 1c79d52..365e3dd 100644
--- a/debian/pam-configs/fprintd
+++ b/debian/pam-configs/fprintd
@@ -4,4 +4,4 @@ Priority: 260
 Conflicts: fprint
 Auth-Type: Primary
 Auth:
-       [success=end default=ignore]    pam_fprintd.so
+       [success=end default=ignore]    pam_fprintd.so max_tries=1
timeout=10 # debug

That has been in there for 10 years, but in my opinion it makes fingerprint
reading in Debian/Ubuntu totally unusable, because at least on my P1
Thinkpad the fingerprint reader is not reliable enough/I hit not well
enough and I get false negatives quite often, after I changed that
max_tries to 3 it is much more fun to use, because I can actually try again
when it fails and I don't always have to fall back to typing my password.
It then behaves more like my phone which is I guess by now expected
behaviour (and I guess also the quality fingerprint readers have
nowadays).

I reached out to the author of the commit, Didier 'OdyX' Raboud, he said
"As you can see from the commit date, this is more than 10 (! wow) since I
committed this, during a period during which I was maintaining fprintd &co.
My last upload on fprintd was in 2016. I have never since re-tried using
pam_fprintd on any of the laptops I use.

I definitely and clearly don't insist that this patch is correct,
meaningful or relevant nowadays. With my now-non-expert eyes, this seems to
warrant a bugreport to Debian for removal, indeed."

Cheers,
  Marcus


-- 
 :: Marcus More-Thiesen :: blog.thiesen.org :: @mthiesen :: 0173 / 28 01 82
4 ::
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/fingerforce-devel/attachments/20230105/4538e7fc/attachment.htm>

More information about the Fingerforce-devel mailing list