FS#71750 - gdm fprintd triggers faillock

Attached to Project: Arch Linux
Opened by Caleb Cushing (xenoterracide) - Friday, 06 August 2021, 00:10 GMT
Last edited by Jan Alexander Steffens (heftig) - Tuesday, 31 August 2021, 22:21 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Jan Alexander Steffens (heftig)
Architecture All
Severity Critical
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

From a user perspective what I see, is even if I am not touching my computer, the computer behaves as though I'm touching the fingerprint pad, and it continues to do so about once per second until faillock is triggered. I was told this is a problem that our distribution (and maybe gnome) needs to resolve, by an fprintd developer.

https://gitlab.freedesktop.org/libfprint/fprintd/-/issues/112#note_1016191

> It is a problem with your distributions pam configuration. If pam_fprintd.so returns an error, then this error needs to be correctly passed up the stack for intepretation by GDM.
In addition to fixing that, Fedora has a workaround for the issue in gnome-shell: https://src.fedoraproject.org/rpms/gnome-shell/blob/f34/f/0001-gdm-Work-around-failing-fingerprint-auth.patch

At this point that's really all I know, but given it can lock you out of your system in the current configuration, I think it needs to get fixed at the distro level (as well as upstream).

Seems to be most reproducible if you have no fingerprints registered and are logged out.

Using fprintd 1.92.0 libfprint 1.92.0
This task depends upon

Closed by  Jan Alexander Steffens (heftig)
Tuesday, 31 August 2021, 22:21 GMT
Reason for closing:  Fixed
Additional comments about closing:  gdm-40.1-2
Comment by Caleb Cushing (xenoterracide) - Friday, 06 August 2021, 00:13 GMT
gdm 40.1 pam 1.5.1

reading that patch all it does is tells you to run a program that is only in aur, and given it relies on SELinux, I'm not certain that'll work
Comment by Caleb Cushing (xenoterracide) - Friday, 06 August 2021, 00:28 GMT
nope won't work, bad idea. But something has to change :/

```
+ log("Please fix your configuration by running: authselect select --force sssd with-fingerprint with-silent-lastlog");
```

although maybe this is the real fix? not the logging, I don't understand this particular code though.

```
+ if (serviceName == FINGERPRINT_SERVICE_NAME) {

+ this._fprintStartTime = GLib.get_monotonic_time();

+ }

+
```

Loading...