Bugzilla – Bug 850807
fprintd broken
Last modified: 2014-07-30 14:00:10 UTC
After a few attempts to get everything working fine, which did. I decided to upgrade all packages which brought me to a broken pam_fprintd # fprintd-enroll list_devices failed: Unit fprintd.service failed to load: No such file or directory. pam_fprint-32bit-0.2-19.1.x86_64 Fri Nov 15 21:56:09 2013 pam_fprint-0.2-19.1.x86_64 Fri Nov 15 21:56:09 2013 libfprint0-0.5.1-45.1.x86_64 Fri Nov 15 21:56:09 2013
These are packages from the hardware repository, aren't they?
Yes - I sent a pull request already
well. factory has libfprint and pam_fprint in hardware we still have pam_fprint, but we also have the more recent fprintd which builds a fprintd-pam subpackage with the comment in the specfile: # do not obsolete pam_fprint until yast2-fingerprint-reader has been ported to fprintd #Obsoletes: pam_fprint < 0.2-7 #Provides: pam_fprint = %{version}-%{release} so this looks like yast2-fingerprint-reader needs porting first
yast2-fingerprint-reader was dropped by fate#313128 in August 2013, so we should drop "pam_fprint" from openSUSE:Factory now and add the obsoletes ... creating requests now
added 32bit package for fprintd-pam to be able to run "pam-config --add --fprintd" enrolled finger-prints as root worked, listing and verifying as well. all do not work as user, what does need to happen with dbus policies here ? > fprintd-list ro found 1 devices Device at /net/reactivated/Fprint/Device/0 Using device /net/reactivated/Fprint/Device/0 ListEnrolledFingers failed: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.
Could you please elaborate on why working fprint yast module is removed before a working fprintd replacement exists? What is fate#313128 (I did not find that number in openSUSE Fate)? For anyone arriving here, pulling his hair because fprint authentication no longer works, like me: look here https://forums.opensuse.org/showthread.php/492941-Fingerprint-reader-configuration-amp-use-on-13-1?p=2626314#post2626314
rudi, were there any messages in /var/log/messages dbus should report issues there, if a dialog did not pop up
Created attachment 596934 [details] screenshot I do get this popup, but even if I can enter the password, I can not click "Ok" after that, only cancel and then (or when doing nothing) I get: failed to claim device: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.
and no messages from dbus in system log
13.1 has no fprintd ... whjere did you get this from?
hardware/fprintd apparently
a dup of bug 792095 in the end. we set the permissions too strict and Rudi, this happens because this dialog also wants to have the (root) fingerprint first :/
We can discuss whether enrolling is something that should be possible by users or admin-only (do not forget to include the fix http://bugzillafiles.novell.org/attachment.cgi?id=542285 in either case.) However I wonder that verify needs to be whitelisted for users, because fprintd is contacted via pam_fprint, which means the code that tries to verify the user already runs privileged via the PAM stack. So auth_admin:auth_admin:auth_admin should work at least. What might happen is that you try to authorize via sudo-like program and the PAM stack is running with euid=0 and uid=user so that the polkit stack is confused and returns 'user' when looking up the originator of the dbus-connection thats initiated by pam_fprint. In fact it should alredy return 'admin' as its triggered from the PAM stack during an already privileged operation. I'd try to check with my setup and if we can make a small fix for pam_fprint. If that doesnt work we have to relax the polkit rules :/
please note that I'm talking about enrolling a fingerprint for a specific user (which means in the end writing a file in the home-directory structure of that user like /home/$USER/.fprint/$NUMBER1/$NUMBER2/$NUMBER3 , so why would we need admin privs for such a thing ?) this is like requiring admin privs when a normal user calls up "passwd" to change his password.
Ok, I am changing it to no:no:yes in our default privs. The fprints are stored in /var/lib/fprint however (pam_fprint vs. pam_fprintd) Please include above fix.
This is an autogenerated message for OBS integration: This bug (850807) was mentioned in https://build.opensuse.org/request/show/241022 Factory / polkit-default-privs
fixed for Factory