Bugzilla – Bug 136853
YaST2 Requires 2 PAM Authentications to Start
Last modified: 2006-08-02 11:25:37 UTC
I have a ThinkPad T43p with integrated fingerprint reader. I switched PAM to use the fingerprint reader in preference to passwords. When I log on, stop the screen saver, or use su or sudo, I need to swipe my finger once to authenticate (the expected behavior). When I start YaST2 or any YaST module (such as YOU from the task bar update scanner) I need to swipe my finger twice before it will start. There are two separate prompts, and both need to be successful. Again, YaST is the only area where this occurs for me -- all other PAM clients or whatever you call them seem to be happy with 1 swipe. I did not previously have to enter my password twice to start YaST before I turned on the fingerprint scanner. I can only assume the password authentication was cached for the second authentication request while the fingerprint authentication is not? This is a little obnoxious only because the fingerprint reader driver likes to take a few seconds to display a success message after each swipe, so overall it makes for a bit of a delay before getting into YaST.
Please attach the y2logs here.
Not a yast problem. I suppose yast is started via kdesu. You will get the same behavior with anything started via kdesu, right? Do we actually ship a pam module to drive the fingerprint scanner?
I don't know what kdesu is. How can I try starting something else with kdesu to confirm? Here are some variations on the YaST2 behavior: 1) The update scanner says there are updates available. I pop up its dialog and click the buton to launch online update. I have to swipe my finger twice before the YOU GUI window appears. 2) I click the main KDE "start" menu, and then the YaST2 icon. I have to swipe my finger twice before the main YaST GUI window appears. 3) I open a regular konsole terminal and type "yast2". The YaST2 GUI appears immediately, but with nothing except "Media Check" in it. Weird, I though this used to prompt for root and come up with everything, but I'm not sure how recently (e.g. what SuSE version) I last tried it with. 4) I open a regular konsole terminal and type "you". I only have to swipe my finger once before the YOU window comes up. The PAM module is not included with SuSE 10 -- I got the install procedure from here: http://thinkwiki.org/wiki/How_to_enable_the_fingerprint_reader -- it would be brilliant if that got rolled into SuSE somehow. :) There are still some usability issues outside of this one that we'd want to address, but one issue at a time.
kdesu xterm
Sorry, Ludwig, it's quite obviously not a YaST problem ;) Aaron: To subcomment 3) of comment #3: This is strange, normally as a non root user yast2 is not on the path and shouldn't be able to be called from the shell at all without using sudo or something like that. And on my machine, this is the way it is. To the PAM-Module itself: Please _always_ mention the little detail that we're talking about a non-official package, because we cannot support them of course, as there is no maintainer I could ask to do so. But don't be worried: I think this would be a great enhancement to implement. Therfore I will reassign this bug to the PAM maintainer and make this an enhancement. Stefan: What do you think about adding this module - it appears to work quite well.
I tried "kdesu xterm", and I did indeed need to swipe my finger twice, and then the xterm came up. So it sounds like this may be the issue. (I assume the KDE menu item for YaST also uses 'kdesu'?). Anyway, to answer Michael's issues: I added /sbin to my path so I could run "ifconfig" and things more conveniently, which is why I can just run "yast2". Also, sorry for not mentioning this is an unsupported module. For what it's worth, it *does* work pretty well, but there was one patch that needed to be applied to the bioapi or something along the way -- the whole procedure is documented at http://thinkwiki.org/wiki/How_to_enable_the_fingerprint_reader and I can certainly share my experience or whatever. Thanks.
Aaron: If you changed something from the default, you should also mention it ;) Of course running YaST2 as a normal user will only show you those modules which do not require root privilleges, which is atm just `media check' - so this is perfectly normal behaviour of YaST. We'll wait for a comment from Stefan here. If the module can be added, we will also look into the problem with kdesu.
The kdesu problem is already known and will be addressed in the future. Wrt the howto. If you follow the outlined procedure your system will certainly not be more secure. The fingerprint sensor driver is binary only, may run run in setuid root context and opens X windows => don't ever try to include that in the distro.
Glad to hear about the impending kdesu fix. The fingerprint setup is definitely about convenience more than security -- as configured, even if the finger swipe fails, it falls back to password auth. But it's nicer to have a super-complex password and use your finger as primary authentication compared to just having to type your super-complex password every time. As far as the refusal to ever include this feature in the distro, I have to say I'm a little disappointed. The distro includes a lot of binary-only code and drivers, from 3D to Java to Wireless LAN. I'll grant it's a little riskier for a PAM module, but the user has to go out of their way to enable this module anyway, so it's clearly a conscious decision they make. I'm totally comfortable making the decision to enable this for my laptop, just like I decided to use the open source ATI driver instead of the binary one. Why should you force that decision on me? The message I get is "if you want to use a hardware feature you paid for, install Windows or find a more accomodating distribution." Red Hat's identical position WRT the binary NVidia drivers is in part why I'm using SuSE today. I hope you'll reconsider. Thanks.
This is now in the feature tracking tool. I will close this Bug as fixed.