rpms/authselect
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Add patch to make fingerprint-auth return non-failing pam_fprintd.so errors

Browse Source 
Resolves: #1935331
This commit is contained in:
Benjamin Berg 2021-03-09 19:43:02 +01:00
parent 67e3c97e35
commit 54f4d090c5
2 changed files with 67 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
0001-fingerprint-Retain-error-code-returned-by-pam_fprint.patch Normal file
View File

@ -0,0 +1,61 @@
From b75a468d38598920833762a7227b06d73be20709 Mon Sep 17 00:00:00 2001
From: Benjamin Berg <bberg@redhat.com>
Date: Tue, 9 Mar 2021 14:34:22 +0100
Subject: [PATCH] fingerprint: Retain error code returned by pam_fprintd.so
pam_fprintd.so will return PAM_AUTHINFO_UNAVAIL in some situations. It
is important that the fingerprint-auth stack returns this error code, so
that users (i.e. GDM) can tell the difference between an authentication
failure vs. an immediate return because no fingers are enrolled.
Fix this by changing sufficient to required (i.e. default=bad rather
than default=ignore) in order to ensure that the pam_fprintd.so error
code is returned.
---
profiles/nis/fingerprint-auth | 2 +-
profiles/sssd/fingerprint-auth | 2 +-
profiles/winbind/fingerprint-auth | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/profiles/nis/fingerprint-auth b/profiles/nis/fingerprint-auth
index 756993c..f312974 100644
--- a/profiles/nis/fingerprint-auth
+++ b/profiles/nis/fingerprint-auth
@@ -1,7 +1,7 @@
{continue if "with-fingerprint"}
auth required pam_env.so
auth required pam_faillock.so preauth silent {include if "with-faillock"}
-auth sufficient pam_fprintd.so
+auth required pam_fprintd.so
auth required pam_faillock.so authfail {include if "with-faillock"}
auth required pam_deny.so
diff --git a/profiles/sssd/fingerprint-auth b/profiles/sssd/fingerprint-auth
index fe3cac7..5ec1673 100644
--- a/profiles/sssd/fingerprint-auth
+++ b/profiles/sssd/fingerprint-auth
@@ -2,7 +2,7 @@
auth required pam_env.so
auth required pam_deny.so # Smartcard authentication is required {include if "with-smartcard-required"}
auth required pam_faillock.so preauth silent {include if "with-faillock"}
-auth sufficient pam_fprintd.so
+auth required pam_fprintd.so
auth required pam_faillock.so authfail {include if "with-faillock"}
auth required pam_deny.so
diff --git a/profiles/winbind/fingerprint-auth b/profiles/winbind/fingerprint-auth
index c4b8261..07fca0f 100644
--- a/profiles/winbind/fingerprint-auth
+++ b/profiles/winbind/fingerprint-auth
@@ -1,7 +1,7 @@
{continue if "with-fingerprint"}
auth required pam_env.so
auth required pam_faillock.so preauth silent {include if "with-faillock"}
-auth sufficient pam_fprintd.so
+auth required pam_fprintd.so
auth required pam_faillock.so authfail {include if "with-faillock"}
auth required pam_deny.so
--
2.29.2

7
authselect.spec
View File

@ -3,7 +3,7 @@
Name: authselect
Version: 1.2.2
Release: 3%{?dist}
Release: 4%{?dist}
Summary: Configures authentication and identity sources from supported profiles
URL: https://github.com/authselect/authselect
@ -11,6 +11,7 @@ License: GPLv3+
Source0: %{url}/archive/%{version}/%{name}-%{version}.tar.gz
Patch0001: 0001-minimal-add-dconf-settings-to-explicitly-disable-fpr.patch
Patch0002: 0001-fingerprint-Retain-error-code-returned-by-pam_fprint.patch
%global makedir %{_builddir}/%{name}-%{version}
@ -294,6 +295,10 @@ exit 0
exit 0
%changelog
* Tue Mar 09 2021 Benjamin Berg <bberg@redhat.com> - 1.2.2-4
- Add patch to make fingerprint-auth return non-failing pam_fprintd.so errors
Resolves: #1935331
* Thu Mar 4 2021 Pavel Březina <pbrezina@redhat.com> - 1.2.2-3
- minimal: add dconf settings to explicitly disable fingerprint and smartcard authentication