Bug#1031389: gdm3: installing fprintd, but not libpam-fprintd makes login via gdm impossible
Simon McVittie
smcv at debian.org
Thu Feb 16 10:20:55 GMT 2023
On Thu, 16 Feb 2023 at 09:46:20 +0100, Ansgar wrote:
> I wanted to try out the fingerprint reader in my laptop and installed
> fprintd (but not libpam-fprintd yet). I also did not yet configure any
> fingerprints.
>
> However after a reboot I could no longer login (I could still unlock
> the screen before the reboot). The system journal says:
>
> +---
> | Feb 16 09:35:34 gdm-fingerprint][1708]: PAM unable to dlopen(pam_fprintd.so): /lib/security/pam_fprintd.so: cannot open shared object file: No such file or directory
> | Feb 16 09:35:34 gdm-fingerprint][1708]: PAM adding faulty module: pam_fprintd.so
> | Feb 16 09:35:34 gdm-fingerprint][1708]: gkr-pam: no password is available for user
> | Feb 16 09:35:34 gdm-fingerprint][1716]: PAM unable to dlopen(pam_fprintd.so): /lib/security/pam_fprintd.so: cannot open shared object file: No such file or directory
> | Feb 16 09:35:34 gdm-fingerprint][1716]: PAM adding faulty module: pam_fprintd.so
> | Feb 16 09:35:34 gdm-fingerprint][1716]: gkr-pam: no password is available for user
> +---
>
> There was no prompt for the password at all: I chose my user and was
> returned back to the user selection.
This is actually more of a gnome-shell thing: gdm's authentication
UI is gnome-shell in a special mode, and it's gnome-shell (in
js/gdm/util.js) that chooses whether to ask gdm to authenticate using
/etc/pam.d/gdm-fingerprint or one of the other gdm-* PAM service names.
At the moment, it chooses gdm-fingerprint if fprintd is installed (as
determined by its D-Bus service name existing) and reports that there is
a suitable fingerprint reader device.
Is there a better way that gnome-shell can detect that libpam-fprintd is
unavailable, preferably without having to hard-code the Debian-specific
and architecture-specific path /lib/x86_64-linux-gnu/security/pam_fprintd.so
or other architectures' equivalents?
Dependencies aren't going to help us here: gdm shouldn't depend on
libpam-fprintd because it works fine without it (indeed that's a more
common configuration), fprintd can't depend on libpam-fprintd because
that would be circular, and apt/dpkg has no syntax for "depends on
libpam-fprintd if fprintd is installed".
> I logged in via getty and installed libpam-fprintd and could login again.
>
> GDM should not make login impossible when fprintd is installed and
> libpam-fprintd is not. Login via password should still be possible in
> this case.
In principle the /etc/pam.d/gdm-fingerprint PAM stack could probably
fall back to password authentication, but I'm not sure how that would
be achieved. Marco Trevisan would probably know better?
Other distributions' PAM configurations as shipped by upstream seem to
be for fingerprint authentication only, without allowing a password.
smcv
More information about the pkg-gnome-maintainers
mailing list