68 lines
3.0 KiB
Diff
68 lines
3.0 KiB
Diff
From ff73f820b1398e5d60b8984b0003db46ad70b8ec Mon Sep 17 00:00:00 2001
|
|
From: Benjamin Berg <bberg@redhat.com>
|
|
Date: Wed, 28 Apr 2021 16:50:03 +0200
|
|
Subject: [PATCH] gdm: Work around failing fingerprint auth
|
|
|
|
On Fedora we have the problem that fingerprint auth fails immediately if
|
|
the PAM configuration has not been updated and no prints are enrolled.
|
|
|
|
So, consider a verification failure within one second to be a service
|
|
failure instead.
|
|
---
|
|
js/gdm/util.js | 18 ++++++++++++++++++
|
|
1 file changed, 18 insertions(+)
|
|
|
|
diff --git a/js/gdm/util.js b/js/gdm/util.js
|
|
index 97df6d687e..371953cb25 100644
|
|
--- a/js/gdm/util.js
|
|
+++ b/js/gdm/util.js
|
|
@@ -109,6 +109,7 @@ export class ShellUserVerifier extends Signals.EventEmitter {
|
|
this._defaultService = null;
|
|
this._preemptingService = null;
|
|
this._fingerprintReaderType = FingerprintReaderType.NONE;
|
|
+ this._fprintStartTime = -1;
|
|
|
|
this._messageQueue = [];
|
|
this._messageQueueTimeoutId = 0;
|
|
@@ -669,6 +670,10 @@ export class ShellUserVerifier extends Signals.EventEmitter {
|
|
this._hold.acquire();
|
|
try {
|
|
this._activeServices.add(serviceName);
|
|
+
|
|
+ if (serviceName == FINGERPRINT_SERVICE_NAME)
|
|
+ this._fprintStartTime = GLib.get_monotonic_time();
|
|
+
|
|
if (this._userName) {
|
|
await this._userVerifier.call_begin_verification_for_user(
|
|
serviceName, this._userName, this._cancellable);
|
|
@@ -763,6 +768,7 @@ export class ShellUserVerifier extends Signals.EventEmitter {
|
|
const cancellable = this._cancellable;
|
|
this._fingerprintFailedId = GLib.timeout_add(GLib.PRIORITY_DEFAULT,
|
|
FINGERPRINT_ERROR_TIMEOUT_WAIT, () => {
|
|
+ log("Generating _verificationFailed!");
|
|
this._fingerprintFailedId = 0;
|
|
if (!cancellable.is_cancelled())
|
|
this._verificationFailed(serviceName, false);
|
|
@@ -829,6 +835,18 @@ export class ShellUserVerifier extends Signals.EventEmitter {
|
|
if (serviceName === FINGERPRINT_SERVICE_NAME) {
|
|
if (this._fingerprintFailedId)
|
|
GLib.source_remove(this._fingerprintFailedId);
|
|
+
|
|
+ // On Fedora we have the problem that fingerprint auth fails
|
|
+ // immediately if the PAM configuration has not been updated and no
|
|
+ // prints are enrolled.
|
|
+ // So, consider a verification failure within one second to be a service
|
|
+ // failure instead.
|
|
+ if (this._fprintStartTime > GLib.get_monotonic_time() - GLib.USEC_PER_SEC) {
|
|
+ log("Fingerprint service failed almost immediately, considering it unavailable.");
|
|
+ log("Please fix your configuration by running: authselect select --force sssd with-fingerprint with-silent-lastlog");
|
|
+ this._onServiceUnavailable(this._client, serviceName, null);
|
|
+ return;
|
|
+ }
|
|
}
|
|
|
|
// For Not Listed / enterprise logins, immediately reset
|
|
--
|
|
2.43.2
|
|
|