Login to KDE requires both password and fingerprint

I have enabled fingerprint authentication and it works well except one thing. In order to log in to KDE I have to provide BOTH password and fingerprint. First I type in the correct password and than it asks for fingerprint. Which is a serious problem, because if the fingerprint is not available I cannot log in. For unlocking the screen it is enough to provide either password or fingerprint.

I have followed this description: SDB:Using fingerprint authentication - openSUSE Wiki

How can I disable this behavior?

You forgot to describe what you did. Which files you changed, what is the content of these files.

Sorry. I have registered my fingerprints and used

sudo pam-config --update --fprintd

as described on the linked page. Nothing else modified by me.

This configures pam_fprintd as sufficient before pam_unix:

auth    sufficient      pam_fprintd.so
auth    required        pam_unix.so     try_first_pass

So, it should first wait for fingerprint and if that fails ask for password. If you observe different behavior, your PAM service may not be using common-auth. What do you use to log in (which Display Manager)?

I use SDDM. It is a 1 month old updated standard TW installation.

My common-auth is

auth	required	pam_env.so	
auth	sufficient	pam_fprintd.so	
auth	optional	pam_kwallet5.so
auth	required	pam_unix.so	try_first_pass

Show

cat /usr/lib/pam.d/sddm
cat /etc/pam.d/sddm

/usr/lib/pam.d/sddm:

#%PAM-1.0
auth     requisite      pam_nologin.so
auth     substack       common-auth
account  substack       common-account
account  include        postlogin-account
password substack       common-password
password include        postlogin-password
session  required       pam_loginuid.so
session  optional       pam_keyinit.so revoke force
session  substack       common-session
session  include        postlogin-session

There is no /etc/pam.d/sddm

Well, are you sure you cannot login without fingerprint? Yes, you cannot skip attempt to use it, but it should timeout after 30 seconds.

You are right, it times out. Thanks for pointing to this.

However this is totally inconvenient. What is the reason for this? Is it because PAM can only think sequentially? So since fingerprint precedes password PAM waits for it even if password is given. Is it possible to set these as alternatives?

Parallel or “any” PAM modules · Issue #301 · linux-pam/linux-pam · GitHub

use fingerprint and password at same time by Sasasu · Pull Request #1220 · sddm/sddm · GitHub

You could try GDM. It implements concurrent PAM stacks and supports password, fingerprint and smartcard in parallel.

Thanks, so it is a long standing problem of SDDM.

I will try GDM, thanks for the suggestion.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.