[systemd-devel] Disallowing fingerprint authentication if pam_systemd_home.so needs a password

[Benjamin Berg]

Hi,

if the home directory needs to be decrypted during login then we really
need a password for authentication, etc. And, that means that
fingerprint login must not be used (if we are authenticating to log in
the user).

I have not looked at pam_systemd_home.so more closely. But, if we need
the user's password, we need to either immediately return
PAM_AUTHINFO_UNAVAIL (GDM) or skip fingerprint auth (TTY).

My thinking is, that we can easily add an option to pam_systemd_home.so
so that it returns an error condition telling us whether an
authentication token is needed or if a specific type of authentication
is acceptable (e.g. smartcard/fingerprint). This would allow us to
either jump over the pam_fprintd.so module or create rules to
immediately error out.

Does anyone know what is already possible, or is there someone willing
to add the required feature to implement it?

Benjamin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20220425/c35b3a0a/attachment.sig>