-
Notifications
You must be signed in to change notification settings - Fork 203
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Have to scan fingerprint after entering password #61
Comments
I'm not sure if this is a bug. What is happening is that PAM is launched when you press "Return" key. Your PAM must be configurated to first request fingerprint so even if you write your password PAM will ignore the input and wait for the fingerprint. In a GDM this is not an issue because there are two steps. Step 1: request the user to login After step 1 PAM is called. But in the end, sway-lock is not a GDM, is just a tool to lock a wayland session. As workaround you could:
or
or
|
I'm facing the same behavior as the one described in this issue, and I'd like to try to implement this feature. |
Would be sweet if you're still thinking about it, an important note is that fprintd will (and should) timeout, so I'm not sure how feasible this is. |
Any news on this? I'm having a hard time with swaylock after adding fingerprint auth in Gnome. |
Not sure if you read the other comments, you don't have to enter your password... When you hit enter swaylock will attempt to authenticate with pam, in this case rather than sending your password, pam will call fprintd and wait for your fingerprint to auth. So in summary, hit enter, scan finger, will unlock Might be worth closing this issue as it doesn't seem realistic to change that behaviour, unless sway can detect your default authentication method which seems like security risk. Or implement a solution similar to GDM that lets you auth with both at any point. |
The current behaviour is super-unintuitive so I don’t think this issue should be closed without either making it work more intuitively or (more likely) documenting it with a howto or similar. |
Maybee You are interested how to do the workaround mentioned by @rsansores.
So here an elaboration: According to https://wiki.archlinux.org/title/Fprint having these 2 lines at the very top of /etc/pam.d/swaylock
will still allow You to authenticate with a password as usuall. However additionally if You provide a blank, so just by pressing enter with no prior input, it will switch to finger print authentication. However make sure that You allow blank input in the swaylock configuration for this to work. Namely delete (or comment out) Hope this helps someone. |
Another potential issue worth considering is when swaylock is used with swayidle's A workaround might be to have a separate command-line program that just spawns a layer-shell to cover the desktop before sleep, and spawns a swaylock process on any sort of activity (so we only start swaylock after resume). |
using https://frame.work with Sway on arch and I was so confused... any update / pointer to where to implement this? |
@Moelf I'm using Sway on Fedora on a Framework laptop as well. It's been about half a year without issue using @andrino-meli's comment above with @rsansores's workaround: Note that with some applications like Swaylock, you may need to first press enter to submit a blank password, then swipe your finger. |
Yeah that works for me too, I guess this issue can be closed ? |
I've also been dealing with this workaround for quite some time. I think swaylock should have some logic to detect an active fingerprint reader and - for example - give some kind of "press enter to scan finger" message, as well as skipping the aforementioned foot-guns ( imo the behaviour as it stands doesn't make for good UX and should be improved upon to justify actually closing this issue, if it's closed as is I would expect new similar issues to be opened as people no longer find this one. it's been 3 years, and swaylock still doesn't support FP readers properly /shrug |
This comment was marked as off-topic.
This comment was marked as off-topic.
it's been 3 years, and nobody bothered submitting a patch nor doing some research on what would be required to improve swaylock /shrug |
#61 (comment) works like a charm for this 👍 |
Whilst I can unlock with my fingerprint reader, I am unclear as to what the actual method is! For instance, sometimes it'll happen instantly other times after 10 seconds. Sometimes it helps by pressing Enter once and other times twice. I have:
and no |
@tombh My guess is the fingerprint scanner is finicky and doesn't always want to recognize the finger on the first try, and there's no UI feedback about that. |
Thanks, yes that's what I thought too. But if I have |
This works fine, but there is a problem that it never tells me if I type an incorrect password, it just fails silently and password auth never works again (only fprint). |
Hello, First of all, thanks for sharing this here. It is so useful it should be added in the sway wiki. My input to this issue is this. Coming back to a wm from Gnome, I should say that having to press enter before using the scanner, isn't any worse than having to open the password prompt in GDM and then use the fingerprint scanner. It's the same process actually. You press enter or space to select the user and then scan your print. BUT! I took me longer that I am willing to admit, to understand what was happening. It was only after randomly trying things that I managed to unlock my session. The best thing I could hope for would be, to have an option to skip pressing enter altogether and just scan the fingerprint. But if it isn't straight forward, and no-one is willing to do it, I have some other suggestions.
Fingerprint scanners are getting more common. I bet that soon they are going to be added on mainstream keyboards. I understand that the goal is not to make swaylock more complicated, but it has to be a tiny bit better in the UX department. At the very least make the issue known to the users, without bringing them here. Thanks for making my wm more secure. |
I've started to implement fingerprint functionality into swaylock. It is based on fprintd DBus service. It will always wait for finger and will not require to press any button before scanning. It already works but I need to use normal event loop and test it. https://github.com/SL-RU/swaylock-fprintd |
Fingerprint scanning works perfectly now. BUT only if system doesn't suspends. After suspend fprintd cannot correctly wake up the device. This issue is already opened and even MR exists: https://gitlab.freedesktop.org/libfprint/libfprint/-/merge_requests/270 Now I'll be watching it's status and when it will be ready I'll finish that task |
Who are not afraid can compile and test it from #283 |
Package with fingerprint support on AUR: https://aur.archlinux.org/packages/swaylock-fprintd-git |
@SL-RU, what is your |
The default one
|
Then what configuration is needed to prompt for the fingerprint? |
Ooh, you need to add argument
|
For /etc/pam.d/swaylock I have this and it works fine.
This is for a yubikey but I am sure you can modify it to fit your requirements. Now how it works for me is I first do a password then I touch the yubikey then it opens. |
@SL-RU Your fork works perfectly! I'd love to see a bit more visual feedback (like the circle could pop up and say "scanning" or something when I place my finger on the reader), but your fork is awesome. No delays whether I use the fingerprint scanner or password, and no PAM changes needed. |
Thank you for the review @lack ! I'm glad that it works for you! 😄 Yeah, I want to add more textual feedback in next commits too. |
Does
This should work well for fingerprint-only, fingerprint+password and password-only, assuming pam does not time out sessions. The implementation won't be the nicest though, it requires a child that is blocked by the parent until the password is provided. |
PAM does not timeout, but nothing stops a module from having its own timeout (like a fingerprint reader having a timeout for how long it will hang waiting for fingerprint). PAM also has no way to abort if one is hanging in an authentication call - control is only handed back during the conversation function. If a fingerprint-reading module is put before pam_unix, it means that PAM will not ask for a password until the fingerprint module fails or times out. If you want to log in with password, you must first fail fingerprint scanning, and you have to repeat that for every password attempt if you type your password wrong. PAM is not suitable for having multiple equally valid means of authentication j(without hacks like spawning multiple processes with independent PAM stacks, and taking the first success). |
Right, fingerprint itself will time out. But I guess that my above suggestion can be put in a Any idea how other DEs work around this issue (e.g.: so as to allow approaching the device and tapping the fingerprint reader to unlock). |
If your fingerprint reader is also a physical, pressable button (like on newer Dell XPS/Inspiron series), you can remap the button to press enter, and so only one finger press is required (because the button simulates pressing enter for you). Here is an example configuration. You must have some sort of keyboard input simulation tool installed for this. This example uses To configure
will simulate pressing the enter key once. Now we add to our sway config
Note(!)
Now, you still get usual functionality from the powerkey (e.g. opening a powermenu) when the system is not locked, and when the system is locked, it will simulate pressing enter, so unlocking with the fingerprint requires only one press. PS: If your fingerprint button is the power key On my (most?) machines the fingerprint reader is on the power key. Usually the default action of the power key is to immediately turn off the machine. We don't want this, so we must inhibit the power key. You can do this in
|
I also had a suspend/resume issue. I am not sure if it is the same as yours. This was the issue I faced, and includes a solution. The issue is a
The fix is to add a polkit rule that allows all users to enroll fingerprints
I don't know what the security implications are. To me, it doesn't seem like a huge problem if users can enroll fingerprints themselves (without root permissions). I suppose some system administrators don't want some users to be able to log in with fingerprints? On personal machines, I don't see this being an issue. |
@emersion I appreciate that you do not want to merge SL-RU's fork for maintenance reasons. Would it be possible to merge the textual feedback logic? I don't understand SL-RU's entire implentation, but the feedback part (first half of the |
I'd rather not add the complexity of a D-Bus API to swaylock. |
@rrueger Helpful comment. Especially the My biggest issue was that my fingerprint scanner sometimes disappeared (not related to the suspend issue above). When that happened, I own a Thinkpad p14s gen2i with the latest firmware updates. I'm not asking for support, unless you have heard about this and remember the solution. I'm only mentioning to support my original comment:
|
On gentoo with @SL-RU 's fork, the default configuration of
In order for swaylock-fprintd to verify correctly I needed to add a polkit rule in
I am also using the default swaylock pam
I based the polkit rule on this arch wiki https://wiki.archlinux.org/title/fprint#Restrict_enrolling |
I'm getting this error both when trying to install from pacman or compile from source on Arch:
I'm not sure if it's an upstream issue (guess that would mean this repo) or not, but I have tried to install/reinstall Would like some help with this if at all possible. Thank you. |
Please discuss forks on the issue tracker of said fork, rather than here. |
Were you able to find a solution for this? Currently having the same issue with the suggested config options. Edit: The issue is actually a bit different than described. If password auth fails (which happens silently) and THEN fprint auth also fails, password auth can be retried. |
Sorry, but after some tries I went back to typed password, only. |
Currently, I choose to disable fingerprint feature using sudo authselect disable-feature with-fingerprint |
Hi all, I've made some progress towards addressing this in #389 using PAM natively, without DBus. It should work with the default Note that it's still not possible to authenticate with either password or fingerprint, due to the way PAM works (at least without running multiple stacks in parallel). |
I use a wrapper-script with:
#!/usr/bin/env bash
# Wrapper for swaylock
# * unlock automatically if wakeup is faster than the graceperiod
# * also unlock with fprintd, without the need for pam.
case $1 in
sleep)
date +%s > ${XDG_RUNTIME_DIR}/sleeptime
swaylock
pkill -u ${USER} fprintd-verify
;;
wakeup)
grace_period=60
sleeptime="$(cat ${XDG_RUNTIME_DIR}/sleeptime)"
now="$(date +%s)"
sleep_duration=$((now-sleeptime))
if [ ${sleep_duration} -lt ${grace_period} ]; then
pkill -u ${USER} -SIGUSR1 swaylock
else
while pgrep -u ${USER} swaylock; do
fprintd-verify && pkill -u ${USER} -SIGUSR1 swaylock
done
fi
;;
esac Now I can unlock either with my finger or my password. And if I wake up my device in under 60sec, it does not ask at all. caveat: only works with one finger. |
Swaylock version: 1.3
OS: Arch Linux
Sway version: 1.0
Laptop: Thinkpad T540p
If I lock the screen with swaylock I have to enter the password (obviously), but after entering the correct password, it will not let me in. This is when my fingerprint reader starts showing its "scanning" light. It only lets me in when I scan my fingerprint.
The scanner doesn't start until I enter something (Not necessarily my actual password - can even press Enter) and doesn't work even if entering right password (until I scan my fingerprint).
It appears that the fingerprint scanner doesn't start automatically until a key press triggers the login process.
The text was updated successfully, but these errors were encountered: