diff --git a/0001-fingerprint-Retain-error-code-returned-by-pam_fprint.patch b/0001-fingerprint-Retain-error-code-returned-by-pam_fprint.patch new file mode 100644 index 0000000..29ac2ef --- /dev/null +++ b/0001-fingerprint-Retain-error-code-returned-by-pam_fprint.patch @@ -0,0 +1,61 @@ +From b75a468d38598920833762a7227b06d73be20709 Mon Sep 17 00:00:00 2001 +From: Benjamin Berg +Date: Tue, 9 Mar 2021 14:34:22 +0100 +Subject: [PATCH] fingerprint: Retain error code returned by pam_fprintd.so + +pam_fprintd.so will return PAM_AUTHINFO_UNAVAIL in some situations. It +is important that the fingerprint-auth stack returns this error code, so +that users (i.e. GDM) can tell the difference between an authentication +failure vs. an immediate return because no fingers are enrolled. + +Fix this by changing sufficient to required (i.e. default=bad rather +than default=ignore) in order to ensure that the pam_fprintd.so error +code is returned. +--- + profiles/nis/fingerprint-auth | 2 +- + profiles/sssd/fingerprint-auth | 2 +- + profiles/winbind/fingerprint-auth | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/profiles/nis/fingerprint-auth b/profiles/nis/fingerprint-auth +index 756993c..f312974 100644 +--- a/profiles/nis/fingerprint-auth ++++ b/profiles/nis/fingerprint-auth +@@ -1,7 +1,7 @@ + {continue if "with-fingerprint"} + auth required pam_env.so + auth required pam_faillock.so preauth silent {include if "with-faillock"} +-auth sufficient pam_fprintd.so ++auth required pam_fprintd.so + auth required pam_faillock.so authfail {include if "with-faillock"} + auth required pam_deny.so + +diff --git a/profiles/sssd/fingerprint-auth b/profiles/sssd/fingerprint-auth +index fe3cac7..5ec1673 100644 +--- a/profiles/sssd/fingerprint-auth ++++ b/profiles/sssd/fingerprint-auth +@@ -2,7 +2,7 @@ + auth required pam_env.so + auth required pam_deny.so # Smartcard authentication is required {include if "with-smartcard-required"} + auth required pam_faillock.so preauth silent {include if "with-faillock"} +-auth sufficient pam_fprintd.so ++auth required pam_fprintd.so + auth required pam_faillock.so authfail {include if "with-faillock"} + auth required pam_deny.so + +diff --git a/profiles/winbind/fingerprint-auth b/profiles/winbind/fingerprint-auth +index c4b8261..07fca0f 100644 +--- a/profiles/winbind/fingerprint-auth ++++ b/profiles/winbind/fingerprint-auth +@@ -1,7 +1,7 @@ + {continue if "with-fingerprint"} + auth required pam_env.so + auth required pam_faillock.so preauth silent {include if "with-faillock"} +-auth sufficient pam_fprintd.so ++auth required pam_fprintd.so + auth required pam_faillock.so authfail {include if "with-faillock"} + auth required pam_deny.so + +-- +2.29.2 + diff --git a/authselect.spec b/authselect.spec index 360625d..2434100 100644 --- a/authselect.spec +++ b/authselect.spec @@ -3,7 +3,7 @@ Name: authselect Version: 1.2.2 -Release: 3%{?dist} +Release: 4%{?dist} Summary: Configures authentication and identity sources from supported profiles URL: https://github.com/authselect/authselect @@ -11,6 +11,7 @@ License: GPLv3+ Source0: %{url}/archive/%{version}/%{name}-%{version}.tar.gz Patch0001: 0001-minimal-add-dconf-settings-to-explicitly-disable-fpr.patch +Patch0002: 0001-fingerprint-Retain-error-code-returned-by-pam_fprint.patch %global makedir %{_builddir}/%{name}-%{version} @@ -294,6 +295,10 @@ exit 0 exit 0 %changelog +* Tue Mar 09 2021 Benjamin Berg - 1.2.2-4 +- Add patch to make fingerprint-auth return non-failing pam_fprintd.so errors + Resolves: #1935331 + * Thu Mar 4 2021 Pavel Březina - 1.2.2-3 - minimal: add dconf settings to explicitly disable fingerprint and smartcard authentication