[systemd-devel] Disallowing fingerprint authentication if pam_systemd_home.so needs a password

[Lennart Poettering]

On Mo, 25.04.22 16:29, Lennart Poettering (lennart at poettering.net) wrote:

> On Mo, 25.04.22 15:39, Benjamin Berg (benjamin at sipsolutions.net) wrote:
>
> > > Right now homed supports neither (I think it would make a ton of sense
> > > to add though.
> > >
> > > Note that homed home directories are LUKS-unlocked by the password
> > > entered or the secret unlocked by pkcs11/fido2. Thus adding
> > > alternative authenticators to homed accounts via just PAM will
> > > generally not work, since we must have something key-like (i.e. a
> > > password, or data blob from the security token or so) to unlock LUKS
> > > with. Not sure what fingerprint login has there?
> >
> > Fingerprint does not provide any data that could be used for unlocking
> > LUKS. So, my take is that we need to skip trying fingerprint
> > authentication if the home directory cannot be mounted without a
> > secret.
>
> Hmm, are you sure? I mean, I am sure many fingerprint devices are
> basically just photo scanners. But aren't there devices that are a bit
> smarter, and can do some cryptography based on local fingerprint auth?
>
> i.e. that wen you enroll a fingerprint you can associate some secret
> key with it that you pass to the hw. And then you store that secret
> key also on the host, and whenever you need to authorize a user you
> ask the fingerprint hw for a finger scan plus some value of your
> choice and it will return you a HMAC of that value, keyed by the
> secret you specified during enrollment?

googling a bit I found this:

https://docs.microsoft.com/en-us/windows/win32/secbiomet/sensor-requirements-for-secure-biometrics

So, what precisely is a "secure sensor"? Does libfprint support those?

In fact, glancing over this this appears to be exactly the thing I was
just proposing?

Lennart

--
Lennart Poettering, Berlin