Glitch when using fingerprint unlock
I found a couple of glitches in the PAM configuration for the gdm3 package for pop-os 22.04 LTS.
When fingerprint authentication is enabled I encounter two glitches in gdm:
- Unlock takes 2-3 seconds to unlock if I use password auth instead of using the fingerprint
- Sometimes when I enter the login screen the password login option is greyed out and I have to login using the fingerprint
I messed around a bit and it looks like this is a configuration issue in /etc/pam.d/gdm-password
This is the default configuration file coming from the gdm3
package:
#%PAM-1.0
auth requisite pam_nologin.so
auth required pam_succeed_if.so user != root quiet_success
@include common-auth
auth optional pam_gnome_keyring.so
@include common-account
# SELinux needs to be the first session rule. This ensures that any
# lingering context has been cleared. Without this it is possible
# that a module could execute code in the wrong domain.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
session required pam_loginuid.so
# SELinux needs to intervene at login time to ensure that the process
# starts in the proper default security context. Only sessions which are
# intended to run in the user's context should be run after this.
# pam_selinux.so changes the SELinux context of the used TTY and configures
# SELinux in order to transition to the user context with the next execve()
# call.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
session optional pam_keyinit.so force revoke
session required pam_limits.so
session required pam_env.so readenv=1
session required pam_env.so readenv=1 user_readenv=1 envfile=/etc/default/locale
@include common-session
session optional pam_gnome_keyring.so auto_start
@include common-password
As you can see on line 4 there is a reference to the common-auth
file, and this would normally be fine since this file contains rules for password authentication. The problem is that by default fingerprint auth is enabled for every authentication mechanism, so the common-auth
file contains a reference to pam-fprintd
:
auth [success=2 default=ignore] pam_fprintd.so max-tries=3 timeout=10 # debug
It looks like that by including a copy of the file without this line in gdm-password I am able to solve all of the aforementioned issues.
Operating system:
Distributor ID: Pop
Description: Pop!_OS 22.04 LTS
Release: 22.04
Codename: jammy
GNOME Shell 42.3.1
I'm not sure if this is the correct fix because i know very little about PAM and gnome in general, but i hope this will help.