Strange lock screen behaviour with fprintd enabled

srid · November 28, 2020, 4:40pm

Both xlock (from xlockmore) and i3lock will prompt for password, followed by requiring me to touch the fingerprint sensor (but with no UI feedback), before actually unlocking the screen. If I only enter the password, but did not touch the fingerprint sensor, the lock screen will sit there waiting for me to do it (again, with no UI feedback that it is waiting for me to do so).

This behaviour is strange, and is only happening with fprintd enabled. For the record, this is what I have in my config:

  services.fwupd.enable = true;
  services.fprintd.enable = true;
  security.pam.services.login.fprintAuth = true;
  security.pam.services.xscreensaver.fprintAuth = true;
  security.pam.services.xlock.fprintAuth = true;

Has anyone else faced this? Is there a solution? I have the X1 Carbon Gen 7 running nixos-unstable.

DAlperin · March 28, 2022, 4:56pm

I have the same problem with gdm. I think I have tracked this down. The pam module generates the /etc/pam.d/screensaver file which includes the two lines if fingerprint auth is enabled:

auth sufficient /nix/store/f73ky03s49ivg2wxzs5cm0lq0zwh5r95-fprintd-1.92.0/lib/security/pam_fprintd.so
auth sufficient pam_unix.so   likeauth try_first_pass

My theory is that it should instead look like:

auth sufficient pam_unix.so   likeauth try_first_pass nullok
auth sufficient /nix/store/f73ky03s49ivg2wxzs5cm0lq0zwh5r95-fprintd-1.92.0/lib/security/pam_fprintd.so

I am not sure how to override this file though so if anyone has any ideas, let me know.

bd-g · May 4, 2023, 3:09am

You are correct, the Arch WIki also suggests that order. I’m going to try and submit a PR to add an option to invert the order of the fingerprint vs password auth.

jtojnar · May 4, 2023, 11:07am

There is nixos/pam: Move `pam_fprintd.so` after `pam_unix.so` by skeleten · Pull Request #171140 · NixOS/nixpkgs · GitHub. However, it apparently requires entering an empty password first. Also needs someone familiar with PAM to review it

SebTM · May 4, 2023, 11:26pm

Hey, as far as I know I never had a different behavior and that is somehow a limitation of using pam (as it can’t handle concurrent verification if I rephrase it correct?) lastly that’s why i lastly switched to GitHub - SL-RU/swaylock-fprintd: Screen locker for Wayland with fingerprint support via fprintd it implements the fingerprint-unlock concurrent to password-unlock via dbus instead of pam but you would need to use sway/wayland or port it to i3lock if you don’t want to…

Ma27 · May 5, 2023, 6:47am

as it can’t handle concurrent verification if I rephrase it correct?

Correct. To quote pam_fprintd(8):

The PAM stack is by design a serialised authentication, so it is not possible for pam_fprintd to allow authentication through passwords and fingerprints at the same time.
It is up to the application using the PAM services to implement separate PAM processes and run separate authentication stacks separately. This is the way multiple authentication methods are made available to users of gdm for example.