[fprint] 5 enrolls --> does 6 and breaks with error -22

[Bastien Nocera]

On Sun, 2012-06-17 at 15:52 +0200, Jonas Jelten wrote:
> You have to use fprintd and for pam pam_fprintd.so.
> 
> This works for me (X220t) but does have some 'features' you might not
> want to have.
> 
> e.g. you cannot stop the fprintd authentication with ^C and fallback to
> password, you have to wait for the (unconfigurable) timeout (very
> annoying over ssh).

It's not supposed to query for a fingerprint over ssh. That'd be a bug.

> also, you can store your fingerprint with the fprintd-enroll command,
> but this does not need a password. This means: ANYONE can just store HIS
> fingerprint under your account by opening a terminal with
> fprintd-enroll, and then execute sudo or whatever pam-auth program.

Anyone can copy their SSH key into your authorized keys too.

> -> we should require the user's password to update the users fingerprint.
> 
> next, you can only enroll the index finger on pam-password-prompt, no
> config option here as well.

That's because fprintd-enroll is a test tool, not a command-line
interface for fingerprint management. You can enhance fprintd-enroll,
write your own D-Bus client to do all that, or use GNOME's User Accounts
panel to add a finger other than the index finger.

> at last, i cant find a manpage about /etc/fprintd.conf, what are
> possible config options?
> 
> 
> and no, i don't want to use the fprint-gui.

Not sure what that is, but the only guys there are for fprintd
management are GNOME and KDE's panels. At least that I know of.

Cheers