[systemd-devel] Antw: [EXT] Re: Disallowing fingerprint authentication if pam_systemd_home.so needs a password

Ulrich Windl Ulrich.Windl at rz.uni-regensburg.de
Tue Apr 26 06:41:39 UTC 2022


>>> juice <juice at swagman.org> schrieb am 25.04.2022 um 17:03 in Nachricht
<4CBF03CA-7A0A-4DBE-AD00-C6F3938FFB55 at swagman.org>:

> 
> 25. huhtikuuta 2022 16.39.56 GMT+03:00 Benjamin Berg 
><benjamin at sipsolutions.net> kirjoitti:
>>On Mon, 2022-04-25 at 13:28 +0200, Lennart Poettering wrote:
>>> 
>>> Hmm, not sure I follow? I don't know how fingerprint flow of control
>>> is. Is this about authentication-by-fingerprint? Or already about
>>> user-selection-by-fingerprint?
>>
>>I was just thinking of authentication-by-fingerprint. Though I don't
>>think it makes a big difference here.
>>
> 
> Using fingerprint for *authentication* is totally broken concept which 
> should never be allowed.

Why? Is a PIN any better?

> Fingerprints are *userid*, never *password*.
> 
> We leave our fingerprints lying around all the time, and given malicious 
> enough adversaries they might as well take our fingers too. (I sure would 
> like to avoid that possibility!!)

So you are saying users leave themselves lying around everywhere? ;-)

> 
> Fingerprints can be used on place of username, that is OK and does not 
> present similar risks.

Fingerprints are mote than a userid IMHO.

> 
>   - Juice -






More information about the systemd-devel mailing list