453877 – Allow multiple simultaneous auth methods to be used without having to fail at one of them, first via multiple PAM stacks

Bug 453877 - Allow multiple simultaneous auth methods to be used without having to fail at one of them, first via multiple PAM stacks

Summary: Allow multiple simultaneous auth methods to be used without having to fail at...

Status:	CONFIRMED

Alias:	None

Product:	kscreenlocker
Classification:	Plasma
Component:	general (show other bugs)
Version:	5.24.5
Platform:	Other Linux

Importance:	NOR wishlist
Target Milestone:	---
Assignee:	Plasma Bugs List

URL:
Keywords:	usability

Depends on:
Blocks:

Reported:	2022-05-16 09:25 UTC by cirelli94
Modified:	2023-05-01 16:28 UTC (History)
CC List:	5 users (show)

See Also:
Latest Commit:
Version Fixed In:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description cirelli94 2022-05-16 09:25:54 UTC

SUMMARY
Once I've configured Fingerprint Authentication, I can't unlock the screen with the password anymore.

It's useful for multiple reasons:
sometimes it's closed and attached to external peripherals
sometimes someone else need to log in and I could tell them the password

STEPS TO REPRODUCE
1. Open System Settings > User > Configure Fingerprint Authentication
2. Lock the screen
3. Try to unlock with password

OBSERVED RESULT
It asks for the fingerprint, and fail with the password even if correct.

EXPECTED RESULT
It unlock the screen.

SOFTWARE/OS VERSIONS
Operating System: Fedora Linux 36
KDE Plasma Version: 5.24.5
KDE Frameworks Version: 5.93.0
Qt Version: 5.15.3
Kernel Version: 5.17.6-300.fc36.x86_64 (64-bit)
Graphics Platform: Wayland

Comment 1 Nate Graham 2022-05-16 18:29:06 UTC

Can reproduce. Not sure if this is something we can fix on our side, or if it's a PAM configuration thing.

FWIW you'll be able to use your text password if you try and fail to authenticate with a fingerprint three times.

Comment 2 Éric Brunet 2023-03-31 17:36:50 UTC

I have the same issue on a fedora 38 beta.
After failing three times the fingerprint, I can indeed type my password to unlock
It works the other way around: I can type my password, hit enter (nothing happens), and then fail three times the fingerprint; the computer unlocks.
The problem might not be on kde side, as it is also present with other programs.
For instance, if I use sudo, I need to fail three times the fingerprint before being offered a keyboard prompt.

Comment 3 Nate Graham 2023-04-03 15:51:31 UTC

Yeah I'm pretty sure this is a PAM issue unfortunately.

Comment 4 Éric Brunet 2023-04-14 07:00:24 UTC

I agree it should be PAM's job, but they don't seem to think so. From the manpage for pam_fprintd:

       The PAM stack is by design a serialised authentication, so it is not
       possible for pam_fprintd to allow authentication through passwords and
       fingerprints at the same time.

       It is up to the application using the PAM services to implement
       separate PAM processes and run separate authentication stacks
       separately. This is the way multiple authentication methods are made
       available to users of gdm for example.

So maybe it is up to kscreenlocker to do the work, after all. There must be some code in gdm that could be adapted in kscreenlocker and in sddm.

Comment 5 Nate Graham 2023-04-14 13:57:05 UTC

Ah ok, so there is something we can do about it, cool.