[Bug 1207788] New: gdm (fingerprint?): no password prompt, impossible to login
https://bugzilla.suse.com/show_bug.cgi?id=1207788 Bug ID: 1207788 Summary: gdm (fingerprint?): no password prompt, impossible to login Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.4 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: GNOME Assignee: gnome-bugs@suse.de Reporter: martin.wilck@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Created attachment 864639 --> https://bugzilla.suse.com/attachment.cgi?id=864639&action=edit video of failed login attempts After boot, or after logout, it's impossible to log in because the password prompt is closed after a few milliseconds. - user clicks on name - password / fingerprint prompt appears, but vanishes almost immediately - user selection is displayed again The attached video demonstrates the effect. The issue "goes a way" after waiting a few minutes. I haven't been able to figure out exactly when this happens, or what condition needs to be fulfilled for it to happen. I have not seen this issue after locking the session, only when creating a new session. Note that this bug is *not* about unreliable fingerprint detection; that's also an issue but I have realized that that's unlikely to be ever solved. The issue reported here hasn't always been observed. I think I first saw it a month ago or so. Can't tell exactly. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1207788 https://bugzilla.suse.com/show_bug.cgi?id=1207788#c1 Alynx Zhou <alynx.zhou@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |alynx.zhou@suse.com --- Comment #1 from Alynx Zhou <alynx.zhou@suse.com> --- Hi, I see you are using Leap, could you please try to install another tumbleweed and see whether this still happens? We don't have a correct PAM config for fingerprint login until recently I added one to tumbleweed. If tumbleweed works for you, I could also add it to Leap. Also, is this only happens recently, or always on this device? I think gdm fingerprint login never works on Leap. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1207788 https://bugzilla.suse.com/show_bug.cgi?id=1207788#c2 --- Comment #2 from Alynx Zhou <alynx.zhou@suse.com> --- Or, instead of installing Tumbleweed, you may backup your `/usr/etc/pam.d/gdm-fingerprint`, and use the content of this file <https://build.opensuse.org/package/view_file/GNOME:Factory/gdm/gdm-fingerprint.pamd?expand=1> to replace its content, and restart to see whether it works. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1207788 https://bugzilla.suse.com/show_bug.cgi?id=1207788#c3 --- Comment #3 from Alynx Zhou <alynx.zhou@suse.com> --- I don't remember where we install this file, may also be `/usr/lib/pam.d/gdm-fingerprint`, anyway just replace it with content from the link and reboot. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1207788 https://bugzilla.suse.com/show_bug.cgi?id=1207788#c4 --- Comment #4 from Martin Wilck <martin.wilck@suse.com> --- Created attachment 864640 --> https://bugzilla.suse.com/attachment.cgi?id=864640&action=edit journal Relevant pieces in the log:
Jan 29 21:48:14 ares.mittagstun.de dbus-daemon[1734]: [system] Activating via systemd: service name='net.reactivated.Fprint' unit='fprintd.service' requested by ':1.25' (uid=460 pid=2752 comm="/usr/bin/gnome-shell ") Jan 29 21:48:14 ares.mittagstun.de fprintd[3222]: Device responded with error: 789 retry: 1 Jan 29 21:48:17 ares.mittagstun.de gdm-fingerprint][3354]: pam_warn(gdm-fingerprint:auth): function=[pam_sm_authenticate] flags=0 service=[gdm-fingerprint] terminal=[/dev/tty7] user=[martin] ruser=[<unknown>] rhost=[<unknown>] ...
fprintd is started, lots of pam_sm_authenticate messages. I *think* this corresponds to the issue occuring after boot (it's not the scene I recorded in the video).
Jan 29 21:49:06 ares.mittagstun.de systemd[1]: fprintd.service: Deactivated successfully. Jan 29 21:49:17 ares.mittagstun.de dbus-daemon[1734]: [system] Activating via systemd: service name='net.reactivated.Fprint' unit='fprintd.service' requested by ':1.82' (uid=0 pid=3456 comm="/bin/login -p -- ") Jan 29 21:49:19 ares.mittagstun.de systemd-logind[2596]: New session 2 of user martin.
I switched to console 2 and logged in succesfully. Tried some commands on the console. I don't think they made a difference.
Jan 29 21:49:55 ares.mittagstun.de systemd[1]: fprintd.service: Deactivated successfully. Jan 29 21:50:34 ares.mittagstun.de dbus-daemon[1734]: [system] Activating via systemd: service name='net.reactivated.Fprint' unit='fprintd.service' requested by ':1.25' (uid=460 pid=2752 comm="/usr/bin/gnome-shell ") Jan 29 21:50:40 ares.mittagstun.de systemd-logind[2596]: New session 4 of user martin. Jan 29 21:50:40 ares.mittagstun.de systemd[1]: Started Session 4 of User martin. Jan 29 21:50:40 ares.mittagstun.de gdm-password][3896]: pam_unix(gdm-password:session): session opened for user martin by (uid=0)
Now the graphical login worked. Fingerprint authentication did not (it's usually about 50:50 on this system), but I was able to log in using my password. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1207788 https://bugzilla.suse.com/show_bug.cgi?id=1207788#c5 --- Comment #5 from Martin Wilck <martin.wilck@suse.com> --- (In reply to Alynx Zhou from comment #1)
Hi, I see you are using Leap, could you please try to install another tumbleweed and see whether this still happens? We don't have a correct PAM config for fingerprint login until recently I added one to tumbleweed. If tumbleweed works for you, I could also add it to Leap.
That's not so easy, as this is my primary workstation. At least it will take time. Would it be possible to just pull in some fixed package(s) on Leap?
Also, is this only happens recently, or always on this device? I think gdm fingerprint login never works on Leap.
As I said, this is a new phenomenon. gdm fingerprint did work for me, on both Leap 15.3 and 15.4, on this system. I basically just installed and enabled fprintd, enrolled my fingerprint, and ran "pam-config -a --fprintd". The fingerprint detection itself is much less reliable as I am used to e.g. from Android devices, but it's not unusable. I did observe some strange effects in the past: 1. The fact that the password prompt is displayed makes you think that you could use either method for logging in, but it seems that (sometimes at least) password login only becomes possible after a certain number (3?) of fprint detection failures 2. sometimes, if fingerprint detection fails a few times in a row, the display gets slightly garbled, but it's normally possible to log in with password These were annoying, but by far not as destructive as the bug reported here. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1207788 https://bugzilla.suse.com/show_bug.cgi?id=1207788#c6 --- Comment #6 from Martin Wilck <martin.wilck@suse.com> ---
I did observe some strange effects in the past:
3. the fingerprint detection reliability seems to "deteriorate" over time. Once in a while, I need to re-enroll my fingerprint, which then improves reliablity. I am not sure if that makes any sense, but it's what I experienced. Fingerprint reader device is: Bus 006 Device 003: ID 06cb:00bd Synaptics, Inc. Prometheus MIS Touch Fingerprint Reader -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1207788 https://bugzilla.suse.com/show_bug.cgi?id=1207788#c7 --- Comment #7 from Alynx Zhou <alynx.zhou@suse.com> --- (In reply to Martin Wilck from comment #5)
(In reply to Alynx Zhou from comment #1)
Hi, I see you are using Leap, could you please try to install another tumbleweed and see whether this still happens? We don't have a correct PAM config for fingerprint login until recently I added one to tumbleweed. If tumbleweed works for you, I could also add it to Leap.
That's not so easy, as this is my primary workstation. At least it will take time. Would it be possible to just pull in some fixed package(s) on Leap?
Then please try my other comments about manually edit `gdm-fingerprint` pam file.
Also, is this only happens recently, or always on this device? I think gdm fingerprint login never works on Leap.
As I said, this is a new phenomenon. gdm fingerprint did work for me, on both Leap 15.3 and 15.4, on this system. I basically just installed and enabled fprintd, enrolled my fingerprint, and ran "pam-config -a --fprintd".
I see, that because we don't have a PAM config with fprintd, so you have to manually add it.
The fingerprint detection itself is much less reliable as I am used to e.g. from Android devices, but it's not unusable. I did observe some strange effects in the past:
1. The fact that the password prompt is displayed makes you think that you could use either method for logging in, but it seems that (sometimes at least) password login only becomes possible after a certain number (3?) of fprint detection failures
Actually GDM supports run different PAM config in parallel, but because we don't have a proper config for fingerprint, they disabled this feature. I've added config and enabled the feature, but only in Tumbleweed currently.
2. sometimes, if fingerprint detection fails a few times in a row, the display gets slightly garbled, but it's normally possible to log in with password
These were annoying, but by far not as destructive as the bug reported here.
I'll try to branch and make a Leap package now. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1207788 https://bugzilla.suse.com/show_bug.cgi?id=1207788#c8 --- Comment #8 from Martin Wilck <martin.wilck@suse.com> --- (In reply to Alynx Zhou from comment #2)
Or, instead of installing Tumbleweed, you may backup your `/usr/etc/pam.d/gdm-fingerprint`, and use the content of this file <https://build.opensuse.org/package/view_file/GNOME:Factory/gdm/gdm- fingerprint.pamd?expand=1> to replace its content, and restart to see whether it works.
I don't have /etc/pam.d/gdm-fingerprint at all. I just have "gdm". Am I correct that pam_fprintd.so should be deleted from "/etc/pam.d/gdm" if I do this? -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1207788 https://bugzilla.suse.com/show_bug.cgi?id=1207788#c9 --- Comment #9 from Martin Wilck <martin.wilck@suse.com> --- I just created the "gdm-fingerprint" file with the content you proposed, and it the problem did not occur. I was even able to log in with fingerprint. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1207788 https://bugzilla.suse.com/show_bug.cgi?id=1207788#c10 --- Comment #10 from Alynx Zhou <alynx.zhou@suse.com> --- https://build.opensuse.org/package/show/home:AZhou:branches:GNOME:STABLE:41/... I just do the same as tumbleweed for this package, but I think you already modified your PAM files correctly and it works :-), let me submit those changes to Leap later. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1207788 https://bugzilla.suse.com/show_bug.cgi?id=1207788#c11 --- Comment #11 from Martin Wilck <martin.wilck@suse.com> --- Repeated, problem again did not occur. current /etc/pam.d/gdm looks like this: #%PAM-1.0 # GDM PAM standard configuration (with passwords) auth requisite pam_nologin.so auth include common-auth account include common-account password include common-password session required pam_loginuid.so session optional pam_keyinit.so force revoke session include common-session And common-auth looks like this: auth required pam_env.so auth sufficient pam_fprintd.so auth optional pam_gnome_keyring.so auth required pam_unix.so try_first_pass /etc/pam.d/fingerprint is from comment 2. Fingerprint auth worked, but the password input field did not. If I removed "pam_fprintd.so" from common-auth, I wouldn't be able to use fprint for console login. How should I set up "gdm"? -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1207788 https://bugzilla.suse.com/show_bug.cgi?id=1207788#c12 --- Comment #12 from Alynx Zhou <alynx.zhou@suse.com> --- (In reply to Martin Wilck from comment #11)
Repeated, problem again did not occur.
current /etc/pam.d/gdm looks like this:
#%PAM-1.0 # GDM PAM standard configuration (with passwords) auth requisite pam_nologin.so auth include common-auth account include common-account password include common-password session required pam_loginuid.so session optional pam_keyinit.so force revoke session include common-session
And common-auth looks like this:
auth required pam_env.so auth sufficient pam_fprintd.so auth optional pam_gnome_keyring.so auth required pam_unix.so try_first_pass
/etc/pam.d/fingerprint is from comment 2.
Fingerprint auth worked, but the password input field did not.
Could you please try my package in <https://bugzilla.suse.com/show_bug.cgi?id=1207788#c10>? It enables split-authentication, and should make both fingerprint and password entry work.
If I removed "pam_fprintd.so" from common-auth, I wouldn't be able to use fprint for console login. How should I set up "gdm"?
Well, I only know about gdm's pam config, I am not sure how to make tty and gdm both have fingerprint login, but anyway let's try to make GDM work first. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1207788 https://bugzilla.suse.com/show_bug.cgi?id=1207788#c13 Martin Wilck <martin.wilck@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(alynx.zhou@suse.c | |om) --- Comment #13 from Martin Wilck <martin.wilck@suse.com> --- (In reply to Alynx Zhou from comment #12)
Could you please try my package in <https://bugzilla.suse.com/show_bug.cgi?id=1207788#c10>? It enables split-authentication, and should make both fingerprint and password entry work.
Do I need to undo my manual configuration changes first? -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1207788 https://bugzilla.suse.com/show_bug.cgi?id=1207788#c14 Alynx Zhou <alynx.zhou@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(alynx.zhou@suse.c | |om) | --- Comment #14 from Alynx Zhou <alynx.zhou@suse.com> --- (In reply to Martin Wilck from comment #13)
(In reply to Alynx Zhou from comment #12)
Could you please try my package in <https://bugzilla.suse.com/show_bug.cgi?id=1207788#c10>? It enables split-authentication, and should make both fingerprint and password entry work.
Do I need to undo my manual configuration changes first?
Yes, I suggest to do so. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1207788 https://bugzilla.suse.com/show_bug.cgi?id=1207788#c15 Yifan Jiang <yfjiang@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |gnome-bugs@suse.de, | |yfjiang@suse.com, | |zcjia@suse.com Assignee|gnome-bugs@suse.de |alynx.zhou@suse.com Flags| |needinfo?(zcjia@suse.com) --- Comment #15 from Yifan Jiang <yfjiang@suse.com> --- Put it in Alynx's queue. @Zhaocong, when you have time, can you try the steps in Martin's reproducing video on SLE-15-SP5 (or the latest SLE-15-SP4 Update). We may wonder if this was caused by the mass GNOME update, although gdm was not heavily touched. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1207788 https://bugzilla.suse.com/show_bug.cgi?id=1207788#c16 --- Comment #16 from Martin Wilck <martin.wilck@suse.com> --- (In reply to Alynx Zhou from comment #12)
Could you please try my package in <https://bugzilla.suse.com/show_bug.cgi?id=1207788#c10>? It enables split-authentication, and should make both fingerprint and password entry work.
This package works very nicely for me. Both fingeprint and password authentication work. The effect reported in this bug hasn't been observed any more. Great work! -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1207788 https://bugzilla.suse.com/show_bug.cgi?id=1207788#c17 --- Comment #17 from Alynx Zhou <alynx.zhou@suse.com> --- (In reply to Martin Wilck from comment #16)
(In reply to Alynx Zhou from comment #12)
Could you please try my package in <https://bugzilla.suse.com/show_bug.cgi?id=1207788#c10>? It enables split-authentication, and should make both fingerprint and password entry work.
This package works very nicely for me. Both fingeprint and password authentication work. The effect reported in this bug hasn't been observed any more. Great work!
Then I could submit it to Leap tomorrow with no worry, thanks! -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1207788 https://bugzilla.suse.com/show_bug.cgi?id=1207788#c18 Jia Zhaocong <zcjia@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(zcjia@suse.com) | --- Comment #18 from Jia Zhaocong <zcjia@suse.com> --- (In reply to Yifan Jiang from comment #15)
Put it in Alynx's queue.
@Zhaocong, when you have time, can you try the steps in Martin's reproducing video on SLE-15-SP5 (or the latest SLE-15-SP4 Update). We may wonder if this was caused by the mass GNOME update, although gdm was not heavily touched.
Hi Yifan, I don't have hardware to test fingerprint unlocking on my side. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1207788 https://bugzilla.suse.com/show_bug.cgi?id=1207788#c19 --- Comment #19 from Alynx Zhou <alynx.zhou@suse.com> --- (In reply to Jia Zhaocong from comment #18)
(In reply to Yifan Jiang from comment #15)
Put it in Alynx's queue.
@Zhaocong, when you have time, can you try the steps in Martin's reproducing video on SLE-15-SP5 (or the latest SLE-15-SP4 Update). We may wonder if this was caused by the mass GNOME update, although gdm was not heavily touched.
Hi Yifan, I don't have hardware to test fingerprint unlocking on my side.
Maybe I could transfer the old ThinkPad to you, I already done with it currently. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1207788 https://bugzilla.suse.com/show_bug.cgi?id=1207788#c20 --- Comment #20 from Yifan Jiang <yfjiang@suse.com> --- (In reply to Jia Zhaocong from comment #18)
(In reply to Yifan Jiang from comment #15)
Put it in Alynx's queue.
@Zhaocong, when you have time, can you try the steps in Martin's reproducing video on SLE-15-SP5 (or the latest SLE-15-SP4 Update). We may wonder if this was caused by the mass GNOME update, although gdm was not heavily touched.
Hi Yifan, I don't have hardware to test fingerprint unlocking on my side.
Understood, I was more concerned if it is a general intermittent issue on a physical laptop even without a fingerpint module. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1207788 https://bugzilla.suse.com/show_bug.cgi?id=1207788#c21 --- Comment #21 from Martin Wilck <martin.wilck@suse.com> --- (In reply to Yifan Jiang from comment #20)
Understood, I was more concerned if it is a general intermittent issue on a physical laptop even without a fingerpint module.
Not sure if it matters to you, but I have never seen this happen on any system except on this one, which has fingerprint enabled. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1207788 https://bugzilla.suse.com/show_bug.cgi?id=1207788#c22 --- Comment #22 from Yifan Jiang <yfjiang@suse.com> --- (In reply to Martin Wilck from comment #21)
(In reply to Yifan Jiang from comment #20)
Understood, I was more concerned if it is a general intermittent issue on a physical laptop even without a fingerpint module.
Not sure if it matters to you, but I have never seen this happen on any system except on this one, which has fingerprint enabled.
Absolutely useful information, thank you Martin! With that, I feel we are safe on regular hardware/vm without fingerprint since we did neither receive similar issue report on 15SP4 maintenance testing, nor did we ever see any similar testing failure on 15SP5. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1207788 https://bugzilla.suse.com/show_bug.cgi?id=1207788#c23 --- Comment #23 from Martin Wilck <martin.wilck@suse.com> --- We should test the package from comment 12 on "normal" systems without fingerprint, but I am sure you'll be doing this anyway. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1207788 https://bugzilla.suse.com/show_bug.cgi?id=1207788#c24 --- Comment #24 from Alynx Zhou <alynx.zhou@suse.com> --- https://build.opensuse.org/request/show/1063539 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1207788 https://bugzilla.suse.com/show_bug.cgi?id=1207788#c25 --- Comment #25 from Alynx Zhou <alynx.zhou@suse.com> --- https://build.suse.de/request/show/289634 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1207788 https://bugzilla.suse.com/show_bug.cgi?id=1207788#c26 Alynx Zhou <alynx.zhou@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #26 from Alynx Zhou <alynx.zhou@suse.com> --- I think we now have working fingerprint in Leap/Tumbleweed, so close this. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1207788 https://bugzilla.suse.com/show_bug.cgi?id=1207788#c27 --- Comment #27 from Martin Wilck <martin.wilck@suse.com> --- AFAICS it's being processed in https://smelt.suse.de/incident/27883/ but not released yet. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com