Bug#749669: gksudo + fprintd: no prompt for PAM authentication based on fingerprint
Krzysztof Słychań
krzysztof.slychan at 10g.pl
Thu May 29 00:30:43 UTC 2014
Package: gksu
Version: 2.0.2-6
Severity: important
Dear Maintainer,
I'm using a fingerprint reader and fprintd (0.5.1-1) package for the fingerprint functionality.
The PAM policy is configured so that it asks for swiping a finger on a reader, and if that fails, asks for user password.
Whenever I use gksudo, I don't get any window with a prompt for swiping my finger, even though the back end works:
I can swipe the finger, press return and the gksudo'ed application starts.
Test case:
1. enter: "gksudo foo" in a terminal window or run prompt (where foo is a placeholder name for an app; in my case, it was gparted and unetbootin)
2. you should get a gksudo prompt asking for swiping a finger - that doesn't happen, you don't get any box
3. if you now swipe your finger and press return on the keyboard, you're authorized and the app (foo) starts correctly
Additional info:
I'm using Debian jessie/sid amd64 with LXDE+Openbox desktop on a Lenovo T61p laptop computer.
There were two kinds of palmrests for this series of machines: one didn't have a fingerprint reader and the other had.
I've replaced the former with the latter.
Everything besides gksudo worked out of the box after installing fprintd and enrolling my fingerprint:
xscreensaver (unlocking screen), lightdm (user login), sudo, console login - all work correctly and display the proper prompts,
which rules out a bug in fprintd or PAM.
Before adding the fingerprint reader, gksudo worked correctly and asked for my password.
$ uname -a:
Linux blackcat 3.13-1-amd64 #1 SMP Debian 3.13.10-1 (2014-04-15) x86_64 GNU/Linux
lsusb entry:
Bus 002 Device 003: ID 0483:2016 STMicroelectronics Fingerprint Reader
$ cat /etc/pam.d/common-auth:
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
auth [success=2 default=ignore] pam_fprintd.so max_tries=1 timeout=10 # debug
auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth optional pam_cap.so
# end of pam-auth-update config
-- System Information:
Debian Release: jessie/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.13-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=pl_PL.UTF-8, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages gksu depends on:
ii libatk1.0-0 2.12.0-1
ii libc6 2.18-7
ii libcairo2 1.12.16-2
ii libfontconfig1 2.11.0-5
ii libfreetype6 2.5.2-1
ii libgconf2-4 3.2.6-2
ii libgdk-pixbuf2.0-0 2.30.7-1
ii libgksu2-0 2.0.13~pre1-7
ii libglib2.0-0 2.40.0-3
ii libgnome-keyring0 3.4.1-1
ii libgtk2.0-0 2.24.23-1
ii libpango1.0-0 1.36.3-1
ii libstartup-notification0 0.12-3
ii sudo 1.8.9p5-1
Versions of packages gksu recommends:
ii gnome-keyring 3.8.2-2+b1
gksu suggests no packages.
-- no debconf information
More information about the pkg-gnome-maintainers
mailing list