Fingerprint auth should not be enabled for sudo

[benzea]

Fingerprint auth really doesn't make any sense for sudo (it is pretty harmful there). I doubt it should be enabled for anything but graphical logins.

[jamescassell]

I've definitely used it for sudo. Much better than NOPASSWD:, PITA to type password for sudo.

[benzea]

It is a bad idea. It completely breaks e.g. remoting in through ssh and it also doesn't really proof as much as a password does.

[benzea]

See https://gitlab.freedesktop.org/libfprint/fprintd/-/issues/32

[jamescassell]

Seems like we need a pam module to detect local console auth vs remote

[pbrezina]

@benzea Do you use fprintd for other services? Or you don't use it at all?

[benzea]

I don't use fingerprint authentication at all ;-)

But, if I used it, I would expect it to only work from my graphical session. And, really, I would want policy to only allow unlock if other conditions are met (such policy does not exist obviously).

[pbrezina]

@benzea You can call authselect disable-feature with-fingerprint to remove the fingerprint module, but I suppose you already know this.

I discussed this with @t8m and it looks like best option will be to modify fprintd to add a check for presence of SSH_* environments variables. I need to check if sudo won't remove this during pam authentication though.

[hadess]

It is a bad idea. It completely breaks e.g. remoting in through ssh and it also doesn't really proof as much as a password does.

That's already fixed, we check for local systemd sessions since the sd-bus port.

[pbrezina]

Sweet! @hadess Is it already released?

[hadess]

Since January this year. It's in Fedora 32 now.

[pbrezina]

Thank you. Therefore I'm inclining to close this thread since for me the issue was that sudo is delayed by fingerprint on ssh sessions.

@benzea If you feel that sudo-fingerprint support should be optional with fingerprint enabled, can you please open a thread on fedora-devel and see what the community has to say about it?