Bug 483130

Summary: Unlocking with fingerprint leads to other PAM session authentication failure
Product: [Plasma] kscreenlocker Reporter: Dinolek <kde>
Component: generalAssignee: Plasma Bugs List <plasma-bugs>
Status: REPORTED ---    
Severity: normal CC: jlp, kde-yannis, kde, nate, severin.hamader, uhhadd
Priority: NOR Keywords: qt6
Version: 6.0.1   
Target Milestone: ---   
Platform: Arch Linux   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:

Description Dinolek 2024-03-10 16:18:26 UTC
SUMMARY
After successfully unlocking screen with fingerprint, password PAM session fails.
If pam_faillock is enabled, it leads to account locking after few fingerprints unlocks in short time.

STEPS TO REPRODUCE
1. Lock screen
2. Unlock with fingerprint

OBSERVED RESULT
> pam_unix(kde:auth): authentication failure; logname=...

After 3 unlocks:
> pam_faillock(kde:auth): Consecutive login failures for user ... account temporarily locked

EXPECTED RESULT
No failures

SOFTWARE/OS VERSIONS
KDE Plasma Version: 6.0.1
KDE Frameworks Version: 6.0.0
Qt Version: 6.6.2
Graphics Platform: Wayland
Comment 1 Charitakis Yannis 2024-03-17 22:26:32 UTC
Hello all,

After installing and configuring the fingerprint sensor, I had the same issue as above.
But I think I have found a workaround.

Please note however that I am far from an expert and I maybe wrong.

I am on EndeavourOS using KDE Plasma 6.0.2, linux 6.6.22-1-lts on a thinkpad X270.

Based on man pam_fprintd:
```
LIMITATIONS
The  PAM stack is by design a serialised authentication, so it is not possible for pam_fprintd to allow authentication through passwords and       fingerprints at the same time.  It is up to the application using the PAM services to implement separate PAM processes and run separate  authentication  stacks  separately. This is the way multiple authentication methods are made available to users of gdm for example.
```
Since kscreenlocker does permit both password and finderprint at the same time, I believe this is what it does.
That is, it uses two separate PAM processes:
One, let's call it password PAM process, is using the /etc/pam.d/kde configuration.
The other, let's call it fingerprint PAM process, using the /etc/pam.d/kde-fingerprint configuration.

kscreenlocker will unlock if any of the two above PAM processes succeeds.
The other however will fail. 

When using the password PAM process, succesful login will clear the previous faillock incidents.
This is what it happens by observing the contents of  the original /etc/pam.d/kde.

The fingerprint PAM process though, differs.
Unfortunately I didn't keep the original /etc/pam.d/kde-fingerprint, but the updated
seems to work correctly:

[root@gordon pam.d]# cat kde-fingerprint 
#%PAM-1.0

auth       required                    pam_shells.so
auth       requisite                   pam_nologin.so
auth       requisite                   pam_faillock.so      preauth # <--- I think I added this line
-auth      required                    pam_fprintd.so
auth       optional                    pam_permit.so
auth       required                    pam_env.so
auth       required                    pam_faillock.so      authsucc # <--- I think I added this line

account       requisite                   pam_faillock.so      preauth   # <--- Surely added this line
account    include                     system-local-login
account       required                    pam_faillock.so      authsucc # <--- Surely added this line

password   required                    pam_deny.so

session    include                     system-local-login
[root@gordon pam.d]#

The above change was based on the following note from pam_faillock:
[...] Due to complications in the way the PAM stack can be configured it is also possible to call pam_faillock as an account module. In such configuration the module must be also called in the preauth stage.[...]

Using the above configuration and unlocking multiple times using the fingerprint works ok.
Still though, there is a single faillock incident after each try, but they do not accumulate.
Faillock is being reset by the fingerprint PAM process and just after reset the password PAM process registers a failed incident.